24 April 2018

44975

Retired Member

3,504Posts 13,440,016Views 4,273Comments
A post relating to this item from Finextra:

Heartland forced to update Q3 results as data breach costs rack up

10 November 2009  |  11495 views  |  2
3044.jpg
Heartland Payment Systems has revised its third quarter results after doubling the provision - to $73.3 million - for expenses related to the massive data breach it suffered last year.

Blind faith in PCI compliance leaves financial data exposed

03 December 2009  |  3218 views  |  0

The indictment of Albert Gonzalez for the theft of 130 million credit and debit card details from Heartland Payment Systems caught the headlines recently. Not for the indictment in itself or that Heartland’s security defences had been bypassed, but for the fact that the company had been declared PCI compliant by Qualified Security Assessors in April 2008.  What was worrying about the case were the subsequent statement from CEO, Robert Carr, dismissing the value of PCI: “The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever.” An audit doesn’t make you secure; it ensures you are meeting a minimum requirement at a given point in time. Carr’s protestation is akin to saying there is no point in having a law around seat belts!

Although it is mainly the retail industry that is up in arms over the data hack, financial institutions should be aware of the knock-on effect of a breach like this.  One credit union put the total from fraudsters using these stolen card numbers at nearly $70,000 per card. The lesson learnt from the ongoing Heartland/PCI debate shouldn’t be that PCI is seen to have failed Heartland; it is that compliance does not automatically equal a high grade security posture and all companies (financial and retail alike) must take full responsibility for that.

The fact of the matter is that the majority of people concerned with compliance are driven to look at just the requirements of the specific piece of legislation. Compliance does not - and can not - immediately result in a secure IT estate.  When it comes to risk, it’s worth remembering that a secure environment is multi-faceted and requires technology, people, process and policy to help businesses decide how to mitigate to a level they are comfortable with.

 

TagsSecurityPayments

Comments: (0)

Comment on this story (membership required)

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

Member since 2009
3499 posts4,273 comments
What Retired reads

Who's commenting on Retired's posts

Ketharaman Swaminathan
Kenneth Marritt
Mark Santall
Willem Lambrechts
Edward Sutton
Paul Love
Dharmesh Mistry