FRAMINGHAM, Mass. (3/31/08)--Credit unions and banks will have a difficult time getting Hannaford Bros. to pay their breach-related costs if the grocery chain was compliant with the Payment Card Industry (PCI) Data Security Standard when the breach occurred. If that's the case, Hannaford has a safe harbor under PCI and will not be required to reimburse banks and credit unions for the costs they incur in replacing cards, notifying member/customers, and for fraud, Avivah Litan, an analyst for research firm Gartner Inc., told Computerworld (March 27). Hannaford says it was recertified as compliant with PCI in February and had been similarly certified last year. PCI refers to 12 security controls that merchants accepting payment-card transactions must follow. If they don't they are fined by Visa, MasterCard, and other major card companies. Litan said that under the rules, if a company is noncompliant and suffers a breach, it faces both potential fines and reimbursements to credit unions and banks of their breach-related costs, including actual fraud losses. The fines and reimbursement costs are not collected directly from the merchant but through that merchant's acquiring bank, which authorizes the merchant, such as Hannaford or TJX Cos., to accept the transactions. It is these banks that are directly responsible for ensuring that merchants are PCI-compliant, Litan said. Under PCI rules, the acquiring bank can't take the reimbursement problem back to the retailer. Computerworld noted that reimbursement is a sticky point for credit unions and banks. It mentioned that several credit union leagues lobbied state governments to pass laws that would make retailers responsible for the costs of a breach, and that only Minnesota has passed such a law. Although credit unions and banks--and consumers--may not have recourse under PCI rules, they still can file lawsuits, the article said. The Hannaford breach, which compromised 4.2 million cards in New England, New York and Florida, was discovered Feb. 27 and made public March 17. It affects transactions at grocery stores from Dec. 7 to March 10. So far about 2,000 actual incidents of fraud have been reported, said Hannaford.