RSS Alerts

Related Links

Related Stories

  • First arrests in Heartland Payment Systems data breach
    The first arrests in connection with the recently disclosed breach at Heartland Payment Systems have been made in Florida.
  • Heartland card payment system breach bigger than TJX?
    Reports are coming in that a New Jersey-based payment processor's IT systems have been compromised in what experts are calling the biggest payment card data breach ever.
  • Data lost, not found: Why data loss is still prevalent in many organisations
    Eighteen months on from the HMRC data loss scandal - where contractors lost the details of 25 million Britons - Stephen Pritchard investigates why there is little evidence that the rate of privacy breaches is falling
  • Someone’s got to pay
    Consumers are increasingly trading the high street for the home computer, and in both cases getting more than they bargained for. Rob Stringer investigates the fraud and fuzzy legislation of retail security
  • Comment: Conforming to PCI DSS
    Organisations that transmit, store or process payment card details and that fail to comply with the Payment Card Industry Data Security Standard (PCI DSS) face serious penalties and potential fines of £50K+, damage to brand reputation, loss of business and the risk of closure, says Mike Gillespie, director at independent protective security consultancy, Advent IM. It’s an issue of great concern to many businesses and a topic much debated on business forums.

News

QSA system is broken, says Heartland CEO

14 October 2009

In a session titled ‘Enhancing payment security in 2010’, Robert O. Carr, Chairman and CEO or Heartland Payment Systems - the subject of potentially the world’s biggest data security breach earlier this year - declared that the model used by quality security assessors (QSA) is “broken”.

O.Carr spoke openly to the SC World Congress audience in New York on 13 October, explaining candidly how Heartland Payment Systems suffered (potentially) the world’s largest data security breach, and how the breach made Heartland “a household name”.

The CEO of Heartland, a card processor company which process more than one million transactions a day, said that the media focused on the breach itself, but failed to report on how Heartland responded to the breach.

“How you respond to the breach is critically important, and not many people listened to that part”, said O.Carr. “We were the quickest company to ever report a breach. As soon as we learned of the breach, we notified card brands, law enforcement and then made the public announcement”.

Heartland’s share price fell dramatically after the breach disclosure, and Heartland was delisted from Visa’s list of approved vendors. “We worked very hard to be reinstated weeks later”, confirmed O.Carr.

“What a lot of people don’t know, is that in late 2007 we discovered a SQL injection into our corporate network. We caught it right away, and thought we’d nailed the problem”, said Heartland’s O.Carr. “We hadn’t”.

“In early 2008 we hired a QSA to perform a penetration test – which found nothing. On April 30th 2008, we were deemed PCI compliant”.

In hindsight, said O.Carr, “reports of QSAs are worth nothing. The system is broken, and it needs to be changed”, he insisted.

In May 2008, Heartland’s payment network was penetrated, and in October, three months before the breach was officially found and announced, a card brand informed Heartland of suspected fraud. “We employed forensics companies to investigate this, and had several Heartland employees vigorously looking into this, but no evidence of intrusion was found”.

What Heartland Payment Systems did after the breach

O.Carr listed the action points that Heartland Payment Systems took in response to the data breach, which was announced in January 2009. “This is the stuff that went unreported by national press”, he said. “We responded to the data breach with the following action points:

  • Complete reimaging of servers
  • Additional network segregation
  • More intense monitoring
  • More data loss prevention efforts
  • Vontu
  • Everything else the card brands requested.

“We also followed the probation requirements, requested meetings with the card brands and PCI SSC officials, and worked really hard to get certified”, he said.

Ongoing work

Although the Heartland share price has made a decent recovery, it does not mean that Heartland can become complacent, insisted O.Carr. “The work we’re doing to develop an end-to-end encryption standard will continue”, he said.

While Heartland’s CEO acknowledged the importance and need for PCI DSS, he also said that “there is room for improvement”. This, he said, is something that Heartland will continue to campaign for. “There are massive opportunities for improvement in payment security. These include better protection from insider attacks and human error. The fact that six million small merchants are having trouble managing 232 requirements also needs to be looked into”.

“QSAs and forensic companies aren’t sharing information on malware and their findings – if they started to do this, they would save time, and more vulnerabilities and breaches would be detected quicker”. In conclusion, Heartland’s CEO restated the need for the QSA system to be fixed. “At the moment a QSA is paid to do the quickest possible job, not the best possible job”.


 

 

This article is featured in:
Business Continuity and Disaster Recovery Compliance and Policy Data Loss Encryption

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water