Hannaford Bros. states in their corporate press release that credit card, debit card and expiration dates were “illegally accessed from our computer systems during transmission of card authorization”. So, it appears that the data was stolen during the card authorization process. This could mean the data was stolen by a “sniffer” on the network at either Hannafords or at the card processor-- Or it could mean that the data was stolen directly from Hannaford Bros. or card processor databases where card data and authorization codes are stored. Nonetheless, there have been 1,800 reported cases of fraud as a result of this breach. 

The bottom line is that Hannaford Bros.  did not sufficiently protect their customer’s credit and debit card data. Some people are now questioning how this could have happened assuming Hannaford Bros. was PCI compliant (as they claim). These same people now question if PCI is useful at all in protecting cardholder data. The answer is that PCI is a very valuable set of guidelines for protecting data. However, too many companies are doing the bare minimum to pass a PCI audit or assessment. We call this “CheckBox PCI compliance”. If companies are really serious about protecting their data, they must move beyond “Checkbox Compliance” and implement the necessary controls to prevent data breaches. To view to a webinar on “Moving Beyond Checkbox PCI Compliance” hosted by VeriSign and Tizor, click here.

So what should Hannaford Bros. have done? Well, they should have followed all the PCI requirements – its that simple! Specifically, PCI requirement #4 states that companies must “encrypt transmission of cardholder data across open, public networks”. We don’t yet know if Hannaford Bros. encrypted their network transmissions or if there was an issue at the card processer site.

Secondly, PCI requirement 10 states that companies must “Track and monitor access to all network resources and card holder data”. Cardholder data is typically stored in an operational database. What was Hannaford Bros.  doing to monitor their database activity? Like most companies, they were probably doing nothing. Or perhaps they used a simple log management tool which are not able to detect or prevent data theft.

It’s time to get serious about PCI, and it’s time to revisit how companies are protecting their stored data. Database monitoring and auditing can help companies meet 5 of the 12 PCI requirements.

PCI Requirements and Data Auditing:

PCI 1: Install and maintain a firewall configuration
Once a firewall is in place, Data Auditing helps ensure that the right IP addresses are coming through the firewall. By monitoring network IP addresses, Data Auditing can identify un-trusted networks.

PCI 3: Protect stored cardholder data
Protecting cardholder data depends on knowing what is happening to data at all times. Data Auditing provides detailed and automated insight into user activity affecting cardholder data. Encryption is recommended in the PCI standard, however, there are many situations where it is not practical or possible to use encryption. In these situations, compensating controls may be used. Data Auditing is a compensating control for encryption.

PCI 6.3.3 Separation of duties between development, test and production environments PCI compliance cannot be accomplished without ensuring separation of duties between production DBAs and application DBAs. Maintaining separation between those who build and maintain database applications, those who create data activity reports for auditors and those who maintain database content is critical for cardholder data security.

PCI 7: Implement strong access controls
Data Auditing helps validate that access controls are working. If access controls are compromised, Data Auditing helps track who accessed data to provide an additional layer of cardholder data security.

PCI 10: Track and monitor all access to network resources and cardholder data Requirement 10 mandates the auditing of all accesses to cardholder data, review audit logs daily, and be able to reconstruct a range of events tied to cardholder information, with detailed audit trails for each event. Controls recommended to address PCI 10 include: discovering where your sensitive credit card data exists; auditing all database activity; auditing all privileged user activity; and providing regular summary and detailed reports on all data activity. Data Auditing addresses all of these requirements with no negative impact of existing systems, applications and processes.

Tizor Mantra for PCI compliance and monitoring: scalable,
cost-effective, easy to deploy.

Mantra protects your business by meeting the monitoring, auditing and reporting mandates of PCI. In fact, Mantra PCI Policy Templates help you achieve compliance with many key PCI requirements immediately upon deployment.

Mantra rich reporting and automated analytics isolate potential PCI noncompliance and unauthorized cardholder access and activity.

Mantra is the most complete, easy-to-deploy and cost-effective PCI data auditing and protection solution. Mantra:

1. Enables the discovery of credit card data in relational database and file servers.
2. Automates the detailed auditing of all activity affecting cardholder data.
3. Audits all actions taken by any individual with root or administrative privileges.
4. Captures the exact commands given to the data server to facilitate forensic reconstruction of activity and the precise exposure of a PCI violation.
5. Applies patent-pending Behavioral Fingerprinting technology to detect theft of cardholder data as it happens.
6. Utilizes change control functions to enable you to track database changes and reconcile them with change control tickets to ensure that only authorized changes were made.
7. Enables compliance with key PCI requirements immediately upon deployment using the Mantra pre-configured PCI Policy Template.
8. Provides rich reporting with reports designed for all level of PCI stakeholders including PCI auditors
9. Recognizes all major credit cards, including American Express, Diners Club, MasterCard, Visa, Discover, and Japanese Credit Bureau.
10. Scans for any database transaction that contains credit card numbers. Any time it identifies a credit card number on a command or in a result/response, Mantra will audit the event and send an alert if necessary.
11. Provides a choice of either agent-less or agent-based local auditing to allow you to track the activity all users, including privileged users, using the methodology that best fits the needs of your enterprise.

For more information, contact us: info@tizor.com or call 800-231-8224