Friday, July 11, 2008

Assume Your Network Will Be Breached, says Homa

Bill Homa, who just stepped down July 1 as the CIO for the 165-store Hannaford grocery chain, has two key observations about PCI, and his opinions come from hard-won experience: PCI-compliant Hannaford was the victim of an especially large data breach when data from 4.2 million payment cards was stolen.

According to an interview in Storefront Backtalk, Homa finds particular fault in one aspect of the current PCI standard: "All debit- and credit-card transactions should be encrypted from end to end. That should be the minimum. It's astonishing that isn't the standard of PCI," which only requires encryption when transmitting over a public network such as IP.

The PCI rationale is that private point-to-point networks—such as the one Hannaford uses—are sufficiently secure that they don't need encryption. Homa disagrees. "Nowadays, encryption is not that expensive. And there's no such thing as a secure network," he said. "If you think your network is secure, you're delusional."

Homa observes that most retailers handle security backwards. The put all of their attention on protecting the front door, instead of assuming theives will get through and having a plan to control them once they're inside.

No comments:

Web Analytics