Update: Heartland breach shows why compliance is not enough
The huge data breach one year ago hammers home the need for multilayered security controls
Computerworld - Nearly a year after Heartland Payment Systems Inc. disclosed what turned out to be the biggest breach involving payment card data, the incident remains a potent example of how compliance with industry standards is no guarantee of security.
Princeton, N.J.-based Heartland last Jan. 20 disclosed that intruders had broken into its systems and stolen data on what was later revealed to be a staggering 130 million credit and debit cards. That number easily eclipsed the 94 million cards that were compromised in the massive breach disclosed by TJX Companies Inc. in 2007.
However, it wasn't just the scope of the Heartland breach that made it remarkable, but also the company's insistence that it was certified as fully compliant with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) when it was compromised.
In public comments after the breach, Heartland CEO Robert Carr emphatically claimed the intrusion occurred even though the company had implemented every single one of the security controls mandated by the PCI standard. In an interview with Computerworld last June, Carr said the breach pointed to both the sophistication of the attacks against Heartland and the inadequacy of relying on PCI controls alone for data security.
Carr's claims that Heartland had industry-standard security controls did little to stop the filing of numerous lawsuits against the company for negligence, many of which have since been dismissed in court. The PCI Security Council, which administers the PCI standard, contested Heartland's claims of compliance and overall security readiness at the time of the breach. Speaking with Computerworld this week, Robert Russo, general manager of the PCI Security Council, said the fact that the Heartland breach resulted from a basic SQL injection error calls into question Carr's claims about the sophistication of the attack.
Even so, Carr's statements have led to greater scrutiny of the PCI standard.
The intrusion led to the "stark realization that passing a PCI security audit does not make a company secure," said Avivah Litan, an analyst at research firm Gartner Inc. "This was known well before the breach, but Heartland served as a big pail of ice water thrown on the face of companies complying with PCI," she said.
The intrusion highlighted "very clearly and with no uncertain doubt" that companies needed to worry about securing their systems first rather than complying with PCI standards, Litan said. The Heartland breach showed that it was worth it for companies to go beyond the requirements of the PCI standard by implementing technologies such as end-to-end encryption for protecting cardholder data, she added.
The Heartland incident also showed that compliance with standards such as PCI is meaningless unless there is a way of monitoring that compliance on a continuous basis, said Philip Lieberman, CEO of Lieberman Software Corp., a Los Angeles-based vendor of identity management products.
"There is nothing wrong with PCI. It is a good standard," Lieberman said. "But it also has a fundamental flaw." PCI compliance, he said, is a "point-in-time" certification of a company's readiness to handle security threats. However, there is no continuous process for monitoring compliance built into the PCI standard, he said. As a result, there is no way of knowing if a company that was certified as being compliant one day is still maintaining that compliance the next day.
Questions about the effectiveness of the PCI specification have spurred greater interest in technologies that go beyond those mandated by the standard. One example is end-to-end encryption. Heartland, for instance, has led an effort to implement encryption technologies for protecting cardholder data across the entire transaction life cycle.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts