CSO - For Heartland Payment Systems Inc. CEO Robert Carr, the year did not start off well, to say the least.
In January, the Princeton, N.J.-based provider of credit and debit processing, payment and check management services was forced to acknowledge it had been the target of a data breach -- in hindsight, possibly the largest to date with 100 million credit and debit cards exposed to fraud.
In the following Q&A, Carr opens up about his company's data security breach. He explains how, in his opinion, PCI compliance auditors failed the company, how informing customers of the breach before the media had a chance to was the best response, and how other companies can avoid the pain Heartland has experienced.
Related Podcast: Heartland Data Breach Reflects Lack of Security Progress
Related Slideshow: 4 Years of Data Breaches
Take us back to the moment you were told a breach may have happened. What was your first thought?Carr: "It was a Monday night in January, just after dinner, when I was told data files were found on our servers that were not created by Heartland. That was a clear sign of trouble. It was a sleepless night. The question people always ask is what keeps me awake at night. Well, this is it."
What have you learned in recent months regarding how exactly the burglars were able to get in? What have investigators flagged in terms of the big security holes that were exploited?Carr: "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that."
How did the QSAs respond when you expressed this view?Carr: "In the post-Enron environment, the auditors have contracts with clients that essentially absolve them of gross negligence. The false reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions."
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
