RSS Alerts
Click here...

Related Links

Related Stories

  • First arrests in Heartland Payment Systems data breach
    The first arrests in connection with the recently disclosed breach at Heartland Payment Systems have been made in Florida.
  • Heartland card payment system breach bigger than TJX?
    Reports are coming in that a New Jersey-based payment processor's IT systems have been compromised in what experts are calling the biggest payment card data breach ever.
  • The PCI Paradox - why PCI DSS isn't preventing data breaches
    PCI DSS has been criticized as being both too prescriptive and too vague. The standard’s effectiveness has come under scrutiny once again as PCI compliant organizations have suffered huge data breaches in recent times. Danny Bradbury looks at the standard to find the root of the problem
  • The Challenge of Security by Compliance
    Information security has become an unavoidable issue for banking and other financial services organizations globally, and recently many of these organizations have turned to compliance, regulations and industry standards to secure their data and information infrastructure. John P. Pironti reports
  • Heartland takes US$12.6m hit for breach
    Heartland Payment Systems has revealed that it lost US$12.6m as a result of its 2008 data breach, in the same week that it finally regained official Payment Card Industry Data Security standard (PCI DSS) compliance.

News

QSA system is broken, says Heartland CEO

14 October 2009

In a session titled ‘Enhancing payment security in 2010’, Robert O. Carr, Chairman and CEO or Heartland Payment Systems - the subject of potentially the world’s biggest data security breach earlier this year - declared that the model used by quality security assessors (QSA) is “broken”.

O.Carr spoke openly to the SC World Congress audience in New York on 13 October, explaining candidly how Heartland Payment Systems suffered (potentially) the world’s largest data security breach, and how the breach made Heartland “a household name”.

The CEO of Heartland, a card processor company which process more than one million transactions a day, said that the media focused on the breach itself, but failed to report on how Heartland responded to the breach.

“How you respond to the breach is critically important, and not many people listened to that part”, said O.Carr. “We were the quickest company to ever report a breach. As soon as we learned of the breach, we notified card brands, law enforcement and then made the public announcement”.

Heartland’s share price fell dramatically after the breach disclosure, and Heartland was delisted from Visa’s list of approved vendors. “We worked very hard to be reinstated weeks later”, confirmed O.Carr.

“What a lot of people don’t know, is that in late 2007 we discovered a SQL injection into our corporate network. We caught it right away, and thought we’d nailed the problem”, said Heartland’s O.Carr. “We hadn’t”.

“In early 2008 we hired a QSA to perform a penetration test – which found nothing. On April 30th 2008, we were deemed PCI compliant”.

In hindsight, said O.Carr, “reports of QSAs are worth nothing. The system is broken, and it needs to be changed”, he insisted.

In May 2008, Heartland’s payment network was penetrated, and in October, three months before the breach was officially found and announced, a card brand informed Heartland of suspected fraud. “We employed forensics companies to investigate this, and had several Heartland employees vigorously looking into this, but no evidence of intrusion was found”.

What Heartland Payment Systems did after the breach

O.Carr listed the action points that Heartland Payment Systems took in response to the data breach, which was announced in January 2009. “This is the stuff that went unreported by national press”, he said. “We responded to the data breach with the following action points:

  • Complete reimaging of servers
  • Additional network segregation
  • More intense monitoring
  • More data loss prevention efforts
  • Vontu
  • Everything else the card brands requested.

“We also followed the probation requirements, requested meetings with the card brands and PCI SSC officials, and worked really hard to get certified”, he said.

Ongoing work

Although the Heartland share price has made a decent recovery, it does not mean that Heartland can become complacent, insisted O.Carr. “The work we’re doing to develop an end-to-end encryption standard will continue”, he said.

While Heartland’s CEO acknowledged the importance and need for PCI DSS, he also said that “there is room for improvement”. This, he said, is something that Heartland will continue to campaign for. “There are massive opportunities for improvement in payment security. These include better protection from insider attacks and human error. The fact that six million small merchants are having trouble managing 232 requirements also needs to be looked into”.

“QSAs and forensic companies aren’t sharing information on malware and their findings – if they started to do this, they would save time, and more vulnerabilities and breaches would be detected quicker”. In conclusion, Heartland’s CEO restated the need for the QSA system to be fixed. “At the moment a QSA is paid to do the quickest possible job, not the best possible job”.


 

 

This article is featured in:
Business Continuity and Disaster Recovery Compliance and Policy Data Loss Encryption

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water