By Michael R. Farnum
Hitting the Security Nerve
August 13, 2009
If you are reading this, you probably know about Heartland Payment
Systems and the credit card system breach they suffered in late '08 -
early '09. There a lot of details to be found, so I won't rehash it
all. So let's just focus on one point: Heartland had been declared PCI
compliant before the breach. And that is the focus of Robert Carr,
Heartland CEO, in his interview with Bill Brenner at CSO Magazine. He
places the blame for his breach squarely on PCI DSS and the QSAs
(Qualified Security Assessor) that audited Heartland's PCI compliance.
And that is why Rich Mogull got out the can opener and proceeded to open
a big can of whoop-a$$.
Honestly, Rich has already done a better job than I could do on
explaining why Mr. Carr's statements were misguided at best. So I will
just point out a few quotes and leave you to read the interview and the
As the CEO of a large public company you clearly understand the role
of audits, assessments, and auditors. You are also fundamentally
familiar with the concepts of enterprise risk management and your
fiduciary responsibility as an officer of your company. Your
attempts to shift responsibility to your QSA are the accounting
equivalent of blaming your external auditor for failing to prevent
the hijacking of an armored car.
This, folks, is the best quote in Rich's whole post, IMHO. This clearly
points out why Mr. Carr is so wrong in his interview. This shows why I
fully expect Mr. Carr to run for political office in the near future.
He is very good at shifting blame when he knows (or at least should have
known) that he is at fault. Mr. Carr had a security team. Mr. Carr,
you and your security team are responsible for this breach, not the
QSAs. They are the guards on the armored car, not the QSAs.
Another quote from Mr. Mogull:
I agree completely that this is a problem with PCI. But what
concerns me more is that the CEO of a public company would rely
completely on an annual external assessment to define the whole
security posture of his organization. Especially since there has
long been ample public evidence that compliance is not the
equivalent of security. Again, if your security team failed to make
you aware of this distinction, I'm sorry.
Did you catch that? It can't be said enough: "there has long been ample
public evidence that compliance is not the equivalent of security." Of
course, Mr. Carr acts like this is a revelation of some kind when he
Subscribe to InfoSec News