Heartland Breach Shows Why Compliance Is Not Enough

Nearly a year after Heartland Payment Systems disclosed what turned out to be the biggest breach involving payment card data, the company remains a potent example of how compliance with industry standards is no guarantee of security.

Princeton, N.J.-based Heartland last Jan. 20 disclosed that intruders had broken into its systems and stolen data on what was later revealed to be a staggering 130 million credit and debit cards. That number easily eclipsed the 94 million cards that were compromised in the massive breach disclosed by TJX Companies Inc in 2007.

However, it wasn't just the scope of the Heartland breach that made it remarkable, but also the company's insistence that it was certified as fully compliant with the requirements of the Payment Card Industry Data Security Standards (PCI DSS) when it was compromised.

In public comments after the breach, Heartland CEO Robert Carr emphatically claimed the intrusion occurred even though the company had implemented every single one of the security controls mandated by PCI. In an interview with Computerworld last June Carr said the breach pointed to both the sophistication of the attacks against Heartland and the inadequacy of relying on PCI controls alone for data security.

Carr's claims did little to stop the filing of numerous lawsuits against the company for negligence, many of which have since been dismissed in court. The PCI Security Council, which administers the PCI standard, bluntly refuted Heartland's claims of compliance and its overall security readiness at the time of the breach. Speaking with Computerworld this week, Robert Russo, general manager of the PCI Security Council, said the fact that the Heartland breach resulted from a basic SQL injection error also refutes Carr's claims about the sophistication of the attack.

Even so, Carr's statements have led to greater scrutiny of the PCI standard .

The intrusion resulted in the "stark realization that passing a PCI security audit does not make a company secure," said Avivah Litan, an analyst with research firm Gartner Inc. "This was known well before the breach, but Heartland served as a big pail of ice water thrown on the face of companies complying with PCI," she said.

The intrusion highlighted "very clearly and with no uncertain doubt" that companies needed to worry about securing their systems first rather than complying with PCI standards, Litan said. The Heartland breach showed that it was worth it for companies to go beyond the requirements of the PCI standard by implementing technologies such as end-to-end encryption for protecting cardholder data, she added.

The Heartland incident showed in no uncertain manner that compliance with standards such as PCI are meaningless unless there is a way of monitoring that compliance on a continuous basis, said Philip Lieberman, CEO of Lieberman Software, a Los Angeles-based vendor of identity management products.

"There is nothing wrong with PCI. It is a good standard," Lieberman said. "But it also has a fundamental flaw." PCI compliance, he said, is a "point-in-time" certification of a company's readiness to handle security threats. However, there is no continuous process for monitoring compliance built into PCI, he said. As a result, there is no way of knowing if a company that was certified as being compliant one day is still maintaining that compliance the next day.

Questions about the effectiveness of PCI have spurred greater interest in technologies that go beyond those mandated by the standard. One example is end-to-end encryption. Heartland, for instance, has been led an effort to implement encryption technologies for protecting cardholder data across the entire transaction lifecycle.

"The biggest positive impact from the breach has been the dramatic increase in interest in end-to-end encryption of payment data," said Jim Huguelet, an independent PCI security consultant based in Bolingbrook, Ill. Though it is a concept that has been talked about for years, interest in end-to-end encryption "really gathered momentum in 2009 after HPS publicly committed to implementing this capability and offering it to their customers," he said.

Meanwhile, the PCI Security Council is researching the applicability of technologies such as card tokenization and Chip and PIN in the U.S. Tokenization is a technique in which information from the magnetic strip on the back of cards is replaced with randomly generated numbers of tokens before being transmitted for authorization. Chip and PIN, which is widely used in Europe, protects cardholder data by requiring individuals to enter personal identification numbers (PINs) when using their cards.

Other security measures that go beyond those specified under PCI have also gained attention in the wake of the Heartland breach. Examples include a magnetic stripe technology that allows for the creation of unique "fingerprints" for each credit card, and a challenge-response process, in which consumers must answer certain specific questions -- such as their ZIP code -- at the point-of-sale terminal.

"The Heartland breach really drilled home the fact that security is about taking a layered approach," Russo said. Since the breach was disclosed, "we have been hearing a lot of buzzwords like end-to-end encryption, tokenization and all these different technologies," Russo said. "But there is no one silver bullet here. The more you layer on, the harder you make it for thieves," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter @jaivijayan , send e-mail at jvijayan@computerworld.com or subscribe to Jaikumar's RSS feed .

This story, "Heartland Breach Shows Why Compliance Is Not Enough" was originally published by Computerworld.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
Shop Tech Products at Amazon