RSS Alerts

Share

More services

Related Links

Related Stories

  • First arrests in Heartland Payment Systems data breach
    The first arrests in connection with the recently disclosed breach at Heartland Payment Systems have been made in Florida.
  • Heartland card payment system breach bigger than TJX?
    Reports are coming in that a New Jersey-based payment processor's IT systems have been compromised in what experts are calling the biggest payment card data breach ever.
  • Interview: Heartland’s Robert Carr
    Please excuse Robert Carr if he appears to have grown tired of answering questions. The co-founder of Heartland Payment Systems says he still has “a kick-ass company”, but the fight for survival remains an ongoing challenge. Drew Amorosi catches up with the Heartland CEO and finds out that, as a result of its trials, the company may have grown even stronger.
  • A Breach too Far
    How much do data breaches really damage organizations financially – and why don’t we want to hear about it? Danny Bradbury investigates
  • Heartland settles with MasterCard over data breach
    Heartland Payment Systems, the fifth-largest payment card processor in the US, has made a third settlement deal in what was one of the largest data breach incidents in history. This time, MasterCard has agreed to take a 41.4m payout for its card issuers.

Top 5 Stories

News

QSA system is broken, says Heartland CEO

14 October 2009

In a session titled ‘Enhancing payment security in 2010’, Robert O. Carr, Chairman and CEO or Heartland Payment Systems - the subject of potentially the world’s biggest data security breach earlier this year - declared that the model used by quality security assessors (QSA) is “broken”.

O.Carr spoke openly to the SC World Congress audience in New York on 13 October, explaining candidly how Heartland Payment Systems suffered (potentially) the world’s largest data security breach, and how the breach made Heartland “a household name”.

The CEO of Heartland, a card processor company which process more than one million transactions a day, said that the media focused on the breach itself, but failed to report on how Heartland responded to the breach.

“How you respond to the breach is critically important, and not many people listened to that part”, said O.Carr. “We were the quickest company to ever report a breach. As soon as we learned of the breach, we notified card brands, law enforcement and then made the public announcement”.

Heartland’s share price fell dramatically after the breach disclosure, and Heartland was delisted from Visa’s list of approved vendors. “We worked very hard to be reinstated weeks later”, confirmed O.Carr.

“What a lot of people don’t know, is that in late 2007 we discovered a SQL injection into our corporate network. We caught it right away, and thought we’d nailed the problem”, said Heartland’s O.Carr. “We hadn’t”.

“In early 2008 we hired a QSA to perform a penetration test – which found nothing. On April 30th 2008, we were deemed PCI compliant”.

In hindsight, said O.Carr, “reports of QSAs are worth nothing. The system is broken, and it needs to be changed”, he insisted.

In May 2008, Heartland’s payment network was penetrated, and in October, three months before the breach was officially found and announced, a card brand informed Heartland of suspected fraud. “We employed forensics companies to investigate this, and had several Heartland employees vigorously looking into this, but no evidence of intrusion was found”.

What Heartland Payment Systems did after the breach

O.Carr listed the action points that Heartland Payment Systems took in response to the data breach, which was announced in January 2009. “This is the stuff that went unreported by national press”, he said. “We responded to the data breach with the following action points:

  • Complete reimaging of servers
  • Additional network segregation
  • More intense monitoring
  • More data loss prevention efforts
  • Vontu
  • Everything else the card brands requested.

“We also followed the probation requirements, requested meetings with the card brands and PCI SSC officials, and worked really hard to get certified”, he said.

Ongoing work

Although the Heartland share price has made a decent recovery, it does not mean that Heartland can become complacent, insisted O.Carr. “The work we’re doing to develop an end-to-end encryption standard will continue”, he said.

While Heartland’s CEO acknowledged the importance and need for PCI DSS, he also said that “there is room for improvement”. This, he said, is something that Heartland will continue to campaign for. “There are massive opportunities for improvement in payment security. These include better protection from insider attacks and human error. The fact that six million small merchants are having trouble managing 232 requirements also needs to be looked into”.

“QSAs and forensic companies aren’t sharing information on malware and their findings – if they started to do this, they would save time, and more vulnerabilities and breaches would be detected quicker”. In conclusion, Heartland’s CEO restated the need for the QSA system to be fixed. “At the moment a QSA is paid to do the quickest possible job, not the best possible job”.


 

This article is featured in:
Business Continuity and Disaster Recovery  • Compliance and Policy  • Data Loss  • Encryption

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012