The PCI Security Standards Council released a statement yesterday defending the PCI-DSS against claims that the standard is not strict enough and will not protect against common attacks. This is the first real communication we’ve gotten from the council since the announcement of the Hannaford breach earlier this year.

This statement is the first to be released to try and counter the negative press from Hannaford telling the world that they were compliant with PCI. This was the first breach of a Level 1 merchant that had validated compliance through a QSA. After reading the statement from the council, vague as it is, merchants should feel better about their PCI programs.

The PCI DSS, if properly implemented on a merchant or service providers’ network, provides the security controls necessary to prevent hackers from penetrating a payment environment and installing malicious software that would jeopardize the protection of card data as it is being processed.

So does that mean that PCI DSS was not properly implemented at Hannaford? If it was not properly implemented, how would they have passed a QSA’s PCI assessment? Maybe the new Q/A program at the council will address something like this, but then again, maybe it is all up to interpretation?

This post originally appeared on