At first, it sounded like another in a enlarged line of credit card breaches: Up to 4.2 million explanation numbers were stolen by thieves who cracked computers at Hannaford Bros. Co., an Eastern supermarket chain.

But the specifics of the crime, revealed that week, included some troubling twists that might expose big holes in the payment industry’s shield standards.

For one thing, Hannaford said the sensitive info were exposed when shoppers swiped their cards at checkout line machines and the knowledge was transmitted to banks for approval.

While thieves have commonly pilfered payment card info sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card details while the knowledge was in transit.

“Catching documents on the move is a bit more challenging,” said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. He compared it

to robbing a truckload of merchandise: It’s easier when the vehicle is parked than when it’s zooming down a highway.

Another intriguing facet is that Hannaford was found — while the hack was still going on last month — to be in compliance with the safety measure standards mandatory by the Payment Card Industry, a coalition founded by credit card companies.

The PCI group sets rules governing such issues as how employees should be screened and precautions against hackers, but it does not audit companies like Hannaford to ensure compliance. That is performed by outside assessors. The identity of Hannaford’s auditor was not disclosed.

The fact that Hannaford could be considered up to snuff and yet still be vulnerable to a big heist raised questions about whether other merchants — and by extension, their customers — are falsely confident about their safety measure. Already, the PCI standards have been tightened in…

Orginal post by Top Tech News