COLUMN

Heartland breach highlights PCI limitations

By Eric Ogren 05 Feb 2009 | SearchSecurity.com Digg This!     StumbleUpon     Del.icio.us

The case of Heartland Payment Systems, the latest credit card processor to have suffered a significant security incident involving loss of consumer credit card data, is particularly sobering for the security industry.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Heartland invested in the security products and audit processes necessary to comply with the Payment Card Industry Data Security Standard (PCI DSS) and yet still suffered a serious exposure of consumer credit card data. This is the same PCI standard that security professionals have deemed to be the reasonable level of care necessary to secure the technical elements of a business. The fact that a responsible security-conscious organization such as Heartland can still be successfully penetrated calls into question the entire PCI specification and the security technologies that provide PCI's foundation.

Data security breach: Data breach costs rise as firms brace for next loss: Companies are struggling to prevent data breaches, according to a new survey that found most firms are dealing with multiple breaches. First lawsuit filed in Heartland data security breach:  A class action lawsuit was filed against Heartland claiming that the payment processor issued belated and inaccurate statements when it announced a security breach of its systems.   Credit unions, banks replace credit cards after Heartland breach: Financial institutions notify customers and reissue or block payment cards affected by the intrusion at the payment processor.

PCI was conceived by the credit card manufacturers to reduce the expenses of credit card fraud by shifting the burden of protection onto merchants and card processors. The standard is organized into 12 chapters of general requirements and assessment procedures that require compliant organizations to own and operate a wide variety of security technologies. A large percentage of organizations, however, have yet to achieve full PCI compliance due to the magnitude of effort and amount of security investment required. It would have been more cost effective for the credit card companies to change to more secure business processes than to throw money at securing a flawed model that encourages wide dissemination of credit card data.

Compliance with PCI certainly reduces the risk of security incidents, but does not guarantee that an organization remains secure. Heartland was typical of system breaches in that the attack was only discovered after the credit card companies identified Heartland as the source of a high rate of fraudulent transactions. It took expert teams from Heartland weeks to find the attack, even with advance knowledge that the malicious code was thriving in its network. PCI's technically oriented preventive measures could not mitigate the attack, nor could the manual audit processes discover the malicious code in a timely manner. Furthermore, the standard is often over-kill for enterprises and the prescriptive nature of PCI inhibits innovation in areas such as virtualization and cloud computing.

While protecting consumer data is still of primary importance for most organizations, the economy is forcing many businesses to make tradeoffs between IT security and keeping their business afloat. Full PCI compliance is an enormously expensive proposition in terms of skilled labor and deployed security products. The benefits of complete PCI and the necessity of full compliance are now being widely questioned.

SearchSecurity radio:

PCI is one of the more prescriptive standards that not only sets security requirements, but also dictates how organizations must meet those requirements. Fortunately, PCI does allow for the concept of "compensating controls" where the organization can document alternative approaches for meeting the general PCI requirements. Organizations should look to leveraging compensating controls to apply the spirit of PCI to the unique business needs of the organization. The company can then use the best features of PCI, including its basis for security awareness throughout the enterprise, to areas that are most important to the business.

Tags: PCI Data Security Standard,  Data Privacy and Protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail Data Privacy and Protection Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Data Privacy and Protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary