On September 28, Whole Foods announced that their restaurants had experienced a hack. Lately, we’ve heard of BIG companies who have had online exposures, including Equifax and Deloitte; but now, Whole Foods has been added to the list, as many customer’s credit card information was exposed.
You’ve probably heard that Amazon recently bought Whole Foods. Fortunately, Amazon has maintained separate payment terminals for the different lines of business in Whole Foods. That means that, the hack was targeted towards the Whole Foods Restaurants only – not the grocery department. Likewise, Amazon’s payment systems were not affected by the hack either.
What should customers do now?
It’s important for customers who have dined at Whole Foods Restaurants over the past few months to monitor their credit card statements for any unauthorized charges. Customers can also increase their own security by going into banks (or at ATM machines) and changing their PINs.
Was Whole Foods Compliant?
It’s hard to say, as Whole Foods has not made any comments to the media. This hack, however, would be classified as a breach of the PCI (Payment Card Industry) Standard. If retailers experience a breach like this, it’s important that they demonstrate that they were acting as a compliant organization at the time of the breach.
What does it mean to be PCI compliant?
The PCI’s Data Security Standard has 12 core components in Version 3.2, which came into effect in April 2016. The components are grouped into 6 control objectives. To be compliant with the PCI standard, a business must implement all 12 components. The 12 steps are broken down further, to make them easier to implement.
While the major part of being PCI compliant is adhering to the data security standards, the PCI Security Standards Council has issued several other pieces of supplemental information, such as policies around Penetration Testing and its Wireless Guidelines.
Build and Maintain a Secure Network
To be PCI compliant, a business must build and maintain a secure network. The core components under this control objective are to use a firewall to protect cardholder data and to change vendor-default passwords.
Protect Cardholder Data
An organization practicing PCI compliance must protect cardholder data. Data must be protected when stored and encrypted when transferred over a network.
For more information on PCI compliance, click here.