QSA system is broken, says Heartland CEO

O.Carr spoke openly to the SC World Congress audience in New York on 13 October, explaining candidly how Heartland Payment Systems suffered (potentially) the world’s largest data security breach, and how the breach made Heartland “a household name”.

The CEO of Heartland, a card processor company which process more than one million transactions a day, said that the media focused on the breach itself, but failed to report on how Heartland responded to the breach.

“How you respond to the breach is critically important, and not many people listened to that part”, said O.Carr. “We were the quickest company to ever report a breach. As soon as we learned of the breach, we notified card brands, law enforcement and then made the public announcement”.

Heartland’s share price fell dramatically after the breach disclosure, and Heartland was delisted from Visa’s list of approved vendors. “We worked very hard to be reinstated weeks later”, confirmed O.Carr.

“What a lot of people don’t know, is that in late 2007 we discovered a SQL injection into our corporate network. We caught it right away, and thought we’d nailed the problem”, said Heartland’s O.Carr. “We hadn’t”.

“In early 2008 we hired a QSA to perform a penetration test – which found nothing. On April 30th 2008, we were deemed PCI compliant”.

In hindsight, said O.Carr, “reports of QSAs are worth nothing. The system is broken, and it needs to be changed”, he insisted.

In May 2008, Heartland’s payment network was penetrated, and in October, three months before the breach was officially found and announced, a card brand informed Heartland of suspected fraud. “We employed forensics companies to investigate this, and had several Heartland employees vigorously looking into this, but no evidence of intrusion was found”.

What Heartland Payment Systems did after the breach

O.Carr listed the action points that Heartland Payment Systems took in response to the data breach, which was announced in January 2009. “This is the stuff that went unreported by national press”, he said. “We responded to the data breach with the following action points:

  • Complete reimaging of servers
  • Additional network segregation
  • More intense monitoring
  • More data loss prevention efforts
  • Vontu
  • Everything else the card brands requested.

“We also followed the probation requirements, requested meetings with the card brands and PCI SSC officials, and worked really hard to get certified”, he said.

Ongoing work

Although the Heartland share price has made a decent recovery, it does not mean that Heartland can become complacent, insisted O.Carr. “The work we’re doing to develop an end-to-end encryption standard will continue”, he said.

While Heartland’s CEO acknowledged the importance and need for PCI DSS, he also said that “there is room for improvement”. This, he said, is something that Heartland will continue to campaign for. “There are massive opportunities for improvement in payment security. These include better protection from insider attacks and human error. The fact that six million small merchants are having trouble managing 232 requirements also needs to be looked into”.

“QSAs and forensic companies aren’t sharing information on malware and their findings – if they started to do this, they would save time, and more vulnerabilities and breaches would be detected quicker”. In conclusion, Heartland’s CEO restated the need for the QSA system to be fixed. “At the moment a QSA is paid to do the quickest possible job, not the best possible job”.


What’s Hot on Infosecurity Magazine?