Customers make their way out of Hannaford Supermarket on Tuesday in Saco, Maine. The Eastern supermarket chain, Hannaford Bros. Co., has announced that authorities are investigating the theft of credit and debit card numbers in Maine and other states.

Portland, Maine ? At first, it sounded like another in a long line of credit card breaches: Up to 4.2 million account numbers were stolen by thieves who cracked computers at Hannaford Bros. Co., an Eastern supermarket chain.

But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry’s security standards.

For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.

While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit.

“Catching data on the move is a bit more challenging,” said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. He compared it to robbing a truckload of merchandise: It’s easier when the vehicle is parked than when it’s zooming down a highway.

Another intriguing facet is that Hannaford was found – while the hack was still going on last month – to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies.

The PCI group sets rules governing such issues as how employees should be screened and precautions against hackers, but it does not audit companies like Hannaford to ensure compliance.

That is performed by outside assessors. The identity of Hannaford’s auditor was not disclosed.

The fact that Hannaford could be considered up to snuff and yet still be vulnerable to a big heist raised questions about whether other merchants – and by extension, their customers – are falsely confident about their security. Already the PCI standards have been tightened in recent years, after such massive data breaches as the one in 2005 at CardSystems Solutions Inc., a payment processor.

David Navetta, president of InfoSecCompliance LLC, a Denver law firm that concentrates on computer security and regulatory compliance, argues that Hannaford and its assessor may have been tripped up by ambiguity in the PCI standards about when companies must encrypt payment data to cloak it from outsiders.

In particular, the standards require companies to encrypt data that travels over computer networks “that are easy and common for a hacker to intercept.” Whether certain internal networks are “easy and common” to crack is a matter of judgment, so Navetta believes Hannaford may have erroneously felt safe leaving data unencrypted in a spot that turned out to be vulnerable.

Hannaford would not discuss specifics of its security system, so it was unclear to what extent its stores encrypted payment data throughout the transmission process.

Wider use of encryption might seem an obvious answer. Because it’s so difficult to detect when information is being stolen while in transit, companies “need to wake up to the fact that they need to encrypt information along every step,” said Richard Gorman, CEO of Vormetric Corp., a data security firm in Santa Clara, Calif.

But in practice, encryption often goes unused at certain points in a data-processing chain because the computing power it requires can slow down transactions, especially on older hardware.