Skip the navigation
News

Update: Heartland breach shows why compliance is not enough

The huge data breach one year ago hammers home the need for multilayered security controls

By Jaikumar Vijayan
January 6, 2010 12:10 PM ET

Computerworld - Nearly a year after Heartland Payment Systems Inc. disclosed what turned out to be the biggest breach involving payment card data, the incident remains a potent example of how compliance with industry standards is no guarantee of security.

Princeton, N.J.-based Heartland last Jan. 20 disclosed that intruders had broken into its systems and stolen data on what was later revealed to be a staggering 130 million credit and debit cards. That number easily eclipsed the 94 million cards that were compromised in the massive breach disclosed by TJX Companies Inc. in 2007.

However, it wasn't just the scope of the Heartland breach that made it remarkable, but also the company's insistence that it was certified as fully compliant with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) when it was compromised.

In public comments after the breach, Heartland CEO Robert Carr emphatically claimed the intrusion occurred even though the company had implemented every single one of the security controls mandated by the PCI standard. In an interview with Computerworld last June, Carr said the breach pointed to both the sophistication of the attacks against Heartland and the inadequacy of relying on PCI controls alone for data security.

Carr's claims that Heartland had industry-standard security controls did little to stop the filing of numerous lawsuits against the company for negligence, many of which have since been dismissed in court. The PCI Security Council, which administers the PCI standard, contested Heartland's claims of compliance and overall security readiness at the time of the breach. Speaking with Computerworld this week, Robert Russo, general manager of the PCI Security Council, said the fact that the Heartland breach resulted from a basic SQL injection error calls into question Carr's claims about the sophistication of the attack.

Even so, Carr's statements have led to greater scrutiny of the PCI standard.

The intrusion led to the "stark realization that passing a PCI security audit does not make a company secure," said Avivah Litan, an analyst at research firm Gartner Inc. "This was known well before the breach, but Heartland served as a big pail of ice water thrown on the face of companies complying with PCI," she said.

The intrusion highlighted "very clearly and with no uncertain doubt" that companies needed to worry about securing their systems first rather than complying with PCI standards, Litan said. The Heartland breach showed that it was worth it for companies to go beyond the requirements of the PCI standard by implementing technologies such as end-to-end encryption for protecting cardholder data, she added.

The Heartland incident also showed that compliance with standards such as PCI is meaningless unless there is a way of monitoring that compliance on a continuous basis, said Philip Lieberman, CEO of Lieberman Software Corp., a Los Angeles-based vendor of identity management products.

"There is nothing wrong with PCI. It is a good standard," Lieberman said. "But it also has a fundamental flaw." PCI compliance, he said, is a "point-in-time" certification of a company's readiness to handle security threats. However, there is no continuous process for monitoring compliance built into the PCI standard, he said. As a result, there is no way of knowing if a company that was certified as being compliant one day is still maintaining that compliance the next day.

Questions about the effectiveness of the PCI specification have spurred greater interest in technologies that go beyond those mandated by the standard. One example is end-to-end encryption. Heartland, for instance, has led an effort to implement encryption technologies for protecting cardholder data across the entire transaction life cycle.



data breach

Additional Resources
The 2009 Handbook of Application Delivery
WHITE PAPER
Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.
How to Cut Software Management Costs and Avoid Over-Spending
WEBCAST
Live Webcast Event: June 9, 2010
Time: 1:00 PM EDT / 11:00 AM PDT
Did you know that companies spend an average of 30% more on software licenses and maintenance than they need to? It's not that surprising when you consider the challenges that IT executives face as they struggle to manage software across their organizations. Poor visibility into remote assets, an inability to ensure the security of PCs, and failing to deliver satisfactory service to end users on a consistent and cost-effective basis are a few of the challenges. Attend this webcast to learn more!
How To Boost Your Bottom Line in Today's Business Climate
WHITE PAPER
In conjunction with Google Enterprise Search, the Google Search Appliance (GSA) can dramatically reduce your organization's total cost of ownership (TCO). By providing search solutions that are deployed on-premise all at one price, GSA can simplify matters and keep costs low. Read this white paper.
What People Are Saying
Knowledge Center White Papers
10 Ways to Establish a Strategic Advantage in Managing Change
This paper offers ways that your company can establish a strategic advantage in managing change. It offers a structured approach to managing change...
Five CIO Challenges Addressed by Better Change Management
Addresses five of the foremost change management challenges that CIOs have to meet and how organizations can turn these challenges into a business...
Turning Product Development into Competitive Advantage
Explore smarter products and discover some best practices that business can employ to build smarter products and drive innovative technologies.
Achieving True Collaboration in Global Development
Most find that the benefits of working globally are many, including savings in time and money and the ability to take advantage of...
Integration: The Critical Path to Cloud Computing
Gain the maximum value from cloud-based solutions by connecting them to other cloud applications and with on-premise data. Discover how to solve the...
All Knowledge Center White Papers
Knowledge Center Webcasts
Modernize Your Infrastructure
In this session, HP and Red Hat speakers will explain how to prepare for and execute an effective migration from SPARC/Solaris OS-based systems...
Business Analytics: The Stealth Strategic Asset
Business Analytics can be your high-performance secret weapon. But how do you get from spreadsheets to optimized BA? In this webcast, you¿ll learn...
City of Orlando Cuts Costs by Over 66% with Google Apps
When Conrad Cross, CIO for Orlando, got his budget cut and lost two experienced IT administrators, he knew he had to find another...
Microsoft Exchange or Google Apps? Govt agency goes Google
James Ferreira, CIO for the New Mexico State Attorney General's office, had a choice to make to support his growing organization: upgrade to...
A Customer's View on Finding the Right Hosted Email Provider
Hear why Jay Meunier, IT Director at retailer Building #19 selected Cisco WebEx Mail to replace the company's previous hosted email solution-saving money...
All Knowledge Center Webcasts
IT Jobs