Posted by Marc Othersen on March 28, 2008
By now, most people have heard about the data breach at Hannaford. Here are some thoughts regarding potential fallout:
1) PCI standard may change. Much depends on Hannaford disclosing the control failures leading to the data breach. The standard may be strengthened to address control areas that may have been overlooked. Should the controls that failed not be part of the current PCI standard, they will most likely be added in the future. Should the controls already exist in the standard, they may be re-written for clarity or greater implementation details may be needed.
2) PCI compliance auditors may be scrutinized. It is unclear at this point in time if the methodology used by Hannaford’s auditors was inadequate. The payment card industry may re-evaluate its criteria for certification and impose more stringent requirements. They may follow in the footsteps of the PCAOB and release audit guidelines to increase the consistency of compliance audits.
3) Lawsuits abound. Cardholders may form a class action lawsuit against Hannaford for failing to protect their information. Hannaford may sue its PCI auditors for damages caused by inadequate audits.
4) Organizations may want a second opinion. Organizations governed by PCI may, in the short term, pay for additional reviews of their controls from sources other than their normal PCI auditors in order to gain further assurance they have effective controls in place. PCI audit and consulting companies may see a dramatic short term increase in business.