By Robert Westervelt, News Editor
When Heartland Payment Systems announced a data security breach on Inauguration Day, the collective gasp from security professionals could be heard around the world.
Heartland, one of the country's largest payment processors, had achieved PCI compliance. Yet the breach could be the largest ever, trumping that of TJX Cos. when 45 million credit and debit cards were pilfered by hackers who accessed the retailer's Wi-Fi systems.
How can a payment processor -- whose primary business is to securely and efficiently process billions of transactions annually -- fail in such a colossal way? The Heartland breach details are scarce, but the early lesson seems to be that you can't rest on your laurels, even once you've achieved compliance. No matter how hardened your systems are, a determined person with the right skills can, and will, find a way in.
A recent Ponemon Institute survey of 43 businesses that had experienced a data breach found that 84% involved organizations that had more than one major breach. More than 88% of all cases involved insider negligence.
"It's impossible to create an environment where you cannot have a data breach," said Larry Ponemon, founder and chairman of the Ponemon Institute. "Data breaches will probably continue even for the best of companies, but it's how you detect it, how you respond to it and how you manage the risk that matters most."
Heartland founder and CEO Robert O. Carr responded to his company's breach by calling for sweeping changes in the industry with encryption technologies. He likened the breach to that of Johnson & Johnson's massive Tylenol recall in 1982 after seven people died taking cyanide-laced Tylenol Extra-Strength capsules. As a result, Johnson & Johnson produced new safety seal packaging that would set the standard for the rest of the industry.
Carr is calling for end-to-end encryption, from the time a consumer swipes their credit card to the payment processor's systems.
"There is no single silver bullet that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required," Carr said in a statement. "Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed."
The fact is, even encryption can lull businesses into a false sense of security, said Phillip Dunkelberger, president and CEO of encryption vendor PGP Corp. Encrypted data has to be unencrypted in order to be accessed. Technologies are available to secure sensitive data in motion, but once it arrives at its destination, he said, the data arrives in a clear form.
"Businesses have to understand how data moves through the company systems to understand how to protect it from internal and external threats," Dunkelberger said. "Many haven't reached that level of understanding yet."
"Malware detection is really critical so you don't have Trojans there when you deencrypt it," he said.
The payment processing industry is under constant bombardment from attacks, said Henry Helgeson CEO of Boston-based payment processor, Merchant Warehouse. The processor handles about 3 million transactions a month and $3.5 billion in transactions annually. Like many processors, Merchant Warehouse has a compliance officer whose job is to maintain the company's PCI compliance.
"I think the 12 bullet points in PCI are good to follow, but I don't think you should necessarily stop when you get through those 12 points," Helgeson said. "It's really scary that this happened to Heartland. Hopefully we'll get some details on this that says Heartland made a mistake and this isn't something that we're all vulnerable to."
Does the industry need to do something on the level of Johnson & Johnson's safety seal packaging to protect sensitive data? Ponemon doesn't think so. PCI lays out the fundamentals every organization must use to have the best defenses. Vigilance is the most important factor.
"The only way to do this right is a combination of good technology solutions and generally smart people who are educated and trained appropriately," Ponemon said. "You solve this problem by training people and giving them the tools to secure their data."
Robert Westervelt is news editor of SearchSecurity.com. Send feedback on this article to firstname.lastname@example.org.