Heartland Payments Breach

January 18th, 2009 | by Mark |

Just as we were recovering from the TJ Maxx breach, Heartland Payment Systems coughs up some 100m credit card numbers. I guess when that happens you have to tell someone, so why not while everyone is distracted, say by a presidential inauguration? The Heartland marketing machine is definitely in damage control mode.

In case you missed it, this may end up being the largest data breach to date. We haven’t been told just yet how the credit card numbers got coughed up, other than they suspect some new type of malware found on their servers. How did this happen? Were the standards flawed, or were the policies and procedures used to test adherence to those standards flawed?

PCI (the Payment Card Industry Data Security Standards) are there for a reason. Bad guys steal credit card numbers because it pays, and the credit card industry knows if all the numbers get out they have a big problem. It seems, though, given the number of breaches by companies ‘in compliance’ such as Heartland, that the mechanisms used to see if the standards are implemented properly are flawed. What’s the result? Another company coughs up a whole bunch of credit card numbers.

The pundits have pontificated at length already, and many are blaming the PCI standards or blaming vendors for creating inadequate security solutions. I think we should be looking at the mechanisms used to test those products and adherence to standards – that’s a big part of the problem that’s been overlooked. You can have great standards, but with no way to validate and verify adherence, you end up with holes and cracks that can be exploited. It doesn’t make sense to continue to use the same policies and procedures that have failed. It’s time to break out and do something different.

I have a hunch there will be a lot of unhappy people getting new credit cards in the mail. Those numbers weren’t stolen for fun, and the bad guys will use them to steal money. Victims will be demanding better from us, the industry that’s supposed to be protecting this information. So, what are we going to do about it? We already require third-party PCI audits, and those have failed to stop data breaches. The policies and procedures they use are still broken. It’s time – past time – for us to revisit how we are validating compliance.

You must be logged in to post a comment.