Heartland breach highlights PCI limitations

 By Eric Ogren

05 Feb 2009 | SearchSecurity.com

Heartland invested in the security products and audit processes necessary to comply with the Payment Card Industry Data Security Standard (PCI DSS) and yet still suffered a serious exposure of consumer credit card data. This is the same PCI standard that security professionals have deemed to be the reasonable level of care necessary to secure the technical elements of a business. The fact that a responsible security-conscious organization such as Heartland can still be successfully penetrated calls into question the entire PCI specification and the security technologies that provide PCI's foundation.

Data security breach: Data breach costs rise as firms brace for next loss: Companies are struggling to prevent data breaches, according to a new survey that found most firms are dealing with multiple breaches.

First lawsuit filed in Heartland data security breach:  A class action lawsuit was filed against Heartland claiming that the payment processor issued belated and inaccurate statements when it announced a security breach of its systems.
 
Credit unions, banks replace credit cards after Heartland breach: Financial institutions notify customers and reissue or block payment cards affected by the intrusion at the payment processor.

PCI was conceived by the credit card manufacturers to reduce the expenses of credit card fraud by shifting the burden of protection onto merchants and card processors. The standard is organized into 12 chapters of general requirements and assessment procedures that require compliant organizations to own and operate a wide variety of security technologies. A large percentage of organizations, however, have yet to achieve full PCI compliance due to the magnitude of effort and amount of security investment required. It would have been more cost effective for the credit card companies to change to more secure business processes than to throw money at securing a flawed model that encourages wide dissemination of credit card data.

Compliance with PCI certainly reduces the risk of security incidents, but does not guarantee that an organization remains secure. Heartland was typical of system breaches in that the attack was only discovered after the credit card companies identified Heartland as the source of a high rate of fraudulent transactions. It took expert teams from Heartland weeks to find the attack, even with advance knowledge that the malicious code was thriving in its network. PCI's technically oriented preventive measures could not mitigate the attack, nor could the manual audit processes discover the malicious code in a timely manner. Furthermore, the standard is often over-kill for enterprises and the prescriptive nature of PCI inhibits innovation in areas such as virtualization and cloud computing.

While protecting consumer data is still of primary importance for most organizations, the economy is forcing many businesses to make tradeoffs between IT security and keeping their business afloat. Full PCI compliance is an enormously expensive proposition in terms of skilled labor and deployed security products. The benefits of complete PCI and the necessity of full compliance are now being widely questioned.

SearchSecurity

PCI is one of the more prescriptive standards that not only sets security requirements, but also dictates how organizations must meet those requirements. Fortunately, PCI does allow for the concept of "compensating controls" where the organization can document alternative approaches for meeting the general PCI requirements. Organizations should look to leveraging compensating controls to apply the spirit of PCI to the unique business needs of the organization. The company can then use the best features of PCI, including its basis for security awareness throughout the enterprise, to areas that are most important to the business.

Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending mail to eric@ogrengroup.com.