Under existing rules, a company doesn't need to encrypt payment data while it's in transit within its own internal network. But Russo contended that if a company implemented all of the existing PCI controls, it wouldn't be possible for attackers to get at the information while it's being transmitted internally.

"Just because [Hannaford] raised their hand and said they were compliant doesn't necessarily mean they were compliant," Russo said. He added that all of the known data breaches involving companies covered by the PCI rules have happened because the merchants failed to fully comply with the security requirements.

Encrypting payment card data before it even reaches point-of-sale systems is one way to minimize the risk of data-in-transit thefts, Litan said. But tools that could enable companies to do that are just emerging from vendors such as VeriFone Inc., she added. And at this early stage, installing the tools may require a heavy investment of time and effort on the part of users.

A more straightforward approach would be to better monitor corporate networks for the telltale signs of system intrusions, said Ken Pappas, a security strategist at Top Layer Networks Inc., which sells intrusion-prevention systems. For example, looking at where data traffic is headed could give security managers a clear indication of whether transmissions are legitimate.

The techniques used to pull off data-in-transit heists really aren't all that new. Typically, perpetrators first gain access to a targeted network by taking advantage of a vulnerability that has yet to be detected or patched. Once the attackers get a foothold, they can deploy malware that can sniff the network for traffic they're interested in, such as credit card data.

The malware can also be programmed to queue the stolen data and send it in batches to an outside destination, as was the case with the Hannaford intrusion.

Eddie Schwartz, chief security officer at NetWitness Corp., a vendor of network monitoring tools, said that over the past two years, overseas "carder gangs" that buy and sell stolen payment card numbers have been using data-sniffing tools in an effort to intercept information while it's being transmitted across networks.

"People are finally waking up and focusing on it," Schwartz said. He attributed the newfound interest to the attention generated by the breach at Hannaford, which has replaced all of its store servers as part of an attempt to rid its network of the malware installed there.

The data thefts can be hard to detect because often the stolen information is spirited out of a company via open network ports -- such as Port 80, which is used for online connections and serving up Web pages, or Port 443, which can be used to send secure communications over the Web.

Schwartz said that many companies don't even monitor those ports, assuming instead that all of the data traffic going out through them is legitimate.

Network managers should be watching the ports "for nonstandard traffic," he added. "If traffic is destined for Romania, and it's [using] Port 443, and it's not SSL traffic, that's a red flag -- and you should see it in minutes, not months."

Based on what's known about the Hannaford and Okemo breaches, it isn't clear whether they really do point to a new method of attack, said Deven Bhatt, director of corporate security at Airline Reporting Corp. in Arlington, Va. But he added that ARC, which provides ticket distribution and financial settlement services to more than 150 airlines and rail carriers, is reviewing its networks to make sure they aren't vulnerable to data-in-transit thefts.

ARC's review was prompted by Okemo's disclosure that its systems had been breached in a Hannaford-like fashion and by the reports that other companies may have been similarly attacked. Bhatt noted that ARC is fully compliant with the PCI requirements.

But Hannaford has made the same claim and yet was the victim of a data breach.

Chris Andrew, vice president of security technology at software vendor Lumension Security Inc., said the grocer's network obviously wasn't locked down tight, as evidenced by the fact that the malware was able to send the stolen data overseas.

"Clearly," he added, "there was a pathway back out of the network that Hannaford should have closed."

Computerworld is an InfoWorld affiliate.