Skip to content
Subscriber Only

Why So Many Retail Stores Get Hacked for Credit Card Data

The industry’s security standards don’t guarantee security
Why So Many Retail Stores Get Hacked for Credit Card Data
Photograph by Craig Warga/Bloomberg

When a big retailer gets hacked, it’s often quick to note that it has complied with cybersecurity rules set by the credit card industry. MasterCard, Visa, and other card companies require retailers to pass an audit sanctioned by the Payment Card Industry (PCI) Security Standards Council, an industry group.

It turns out the accreditation by PCI doesn’t always offer much protection against fraud. Neiman Marcus noted it had met PCI standards when it said in January that customer cards may have been compromised from July to October. Target, which suffered a record-breaking hack in November, had been certified as compliant two months earlier. Grocery chain Hannaford Brothers and payment processors WorldPay and Heartland Payment Systems were also hacked shortly after receiving passing marks from PCI assessors, who judge a company based on six main groups of security measures, broken into smaller items such as fire walls and antivirus software.