Computerworld
Home News Blogs In Depth ReviewsWhite Papers Newsletters IT Careers

resource center


Ads by TechWords

See your link here

Newsletter Sign-Up

Receive the latest technology news and information.
Storage
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Heartland CEO on Data Breach: QSAs Let Us Down

By Bill Brenner
August 12, 2009 02:07 PM ET
Comments
(5)
Recommended
(50)
Digg
Share/Email

Active Comments
Anonymous says: I'm sorry, no sympathy. Heartland is a payment systems company - for them to blame external auditors for not picking...
Read the rest | Reply
OneFishTwoFish says: Placing blame on the QSA is absurd. The entity being assessed is required to maintain compliance 24/7/365 and obviously the...
Read the rest | Reply
All Comments (5) | Post New


CSO - For Heartland Payment Systems Inc. CEO Robert Carr, the year did not start off well, to say the least.

In January, the Princeton, N.J.-based provider of credit and debit processing, payment and check management services was forced to acknowledge it had been the target of a data breach -- in hindsight, possibly the largest to date with 100 million credit and debit cards exposed to fraud.

In the following Q&A, Carr opens up about his company's data security breach. He explains how, in his opinion, PCI compliance auditors failed the company, how informing customers of the breach before the media had a chance to was the best response, and how other companies can avoid the pain Heartland has experienced.

Related Podcast: Heartland Data Breach Reflects Lack of Security Progress

Related Slideshow: 4 Years of Data Breaches

Take us back to the moment you were told a breach may have happened. What was your first thought?Carr: "It was a Monday night in January, just after dinner, when I was told data files were found on our servers that were not created by Heartland. That was a clear sign of trouble. It was a sleepless night. The question people always ask is what keeps me awake at night. Well, this is it."

What have you learned in recent months regarding how exactly the burglars were able to get in? What have investigators flagged in terms of the big security holes that were exploited?Carr: "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that."

How did the QSAs respond when you expressed this view?Carr: "In the post-Enron environment, the auditors have contracts with clients that essentially absolve them of gross negligence. The false reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions."


Reprinted with permission from

This story is reprinted from CSO Online.com, an online resource for information executives.
Story Copyright CXO Media Inc., 2006. All rights reserved.

Comment Recommend Digg Twitter ShareThis
Email Print Send Feedback Reprints
Jump to comments

Heartland Payment Systems

Additional Resources

Xerox
Win a color printer!
By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer!
Microsoft
Upgrade to Internet Explorer 8 today.
Save time and mitigate security risk. Deploy it now.
Sybase
NEXT-GENERATION MOBILITY PLATFORMS
In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.

What People Are Saying

5 comments | Add new
See all comments (5) | Add new

White Papers & Webcasts

Top 10 Things to Know about Data Protection
Download Now  

Extending Client Refresh - 11 Steps to Maximize Savings
Register Now!

The Power/Density Paradox: The Result of High Density without Power Efficiency
Download this brief to explore what the power/density paradox is and how IT professionals can mitigate the risk.  

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

The State of PCI DSS Compliance at Organizations Today
Download this resource today!  

Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!

Symantec Veritas NetBackup Design Best Practices with Data Domain
Learn in-depth about best practices for Archiving Integration, NBU Catalog Backups and NBU Disaster Recovery.  

Consolidate Your Servers and Storage to Lower Costs with Oracle Database 11g
Register for this webcast!

VMware Data Backup and Recovery Best Practices
Learn best practices for architecting a backup/recovery/DR approach for VMware with Data Domain.  

The Commercialization of ITIL: Lessons Learned
Register for this event today!

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports
Featured Zone
Business Continuity Zone
An organization's business continuity plan helps keep critical functions running during an emergency–the power fails, a virus is unleashed on your network, a natural disaster has occurred. Even the slightest downtime or loss of data can cripple your operation. CDW can help you prevent disaster by implementing a well-planned recovery strategy.
Click here to visit the Zone
See All Zones

 
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.