Bank Info Security
October 5, 2009
Months before announcing the Heartland Payment Systems (HPY) data
breach, company CEO Robert Carr told industry analysts that the Payment
Card Industry Data Security Standard (PCI DSS) was an insufficient
This is the contention of a new master complaint filed in the class
action suit against Heartland, which in January announced a data breach
that is now estimated to be the largest known hack, involving 130
million credit and debt card accounts.
In a November 2008 earnings call, according to the complaint, Carr told
analysts, "[We] also recognize the need to move beyond the lowest common
denominator of data security, currently the PCI DSS standards. We
believe it is imperative to move to a higher standard for processing
secure transactions, one which we have the ability to implement without
waiting for the payments infrastructure to change."
Carr's comment confirms that the PCI standards are minimal, and that the
actual industry standard for security is much higher, the complaint
alleges. "Heartland executives were well aware before the Data Breach
occurred that the bare minimum PCI-DSS standards were insufficient to
protect it from an attack by sophisticated hackers," the document says.
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News