Lawsuit: Heartland Knew Data Security Standard was 'Insufficient'

Lawsuit: Heartland Knew Data Security Standard was 'Insufficient'
Lawsuit: Heartland Knew Data Security Standard was 'Insufficient' 

Linda McGlasson
Managing Editor
Bank Info Security
October 5, 2009

Months before announcing the Heartland Payment Systems (HPY) data 
breach, company CEO Robert Carr told industry analysts that the Payment 
Card Industry Data Security Standard (PCI DSS) was an insufficient 
protective measure.

This is the contention of a new master complaint filed in the class 
action suit against Heartland, which in January announced a data breach 
that is now estimated to be the largest known hack, involving 130 
million credit and debt card accounts.

In a November 2008 earnings call, according to the complaint, Carr told 
analysts, "[We] also recognize the need to move beyond the lowest common 
denominator of data security, currently the PCI DSS standards. We 
believe it is imperative to move to a higher standard for processing 
secure transactions, one which we have the ability to implement without 
waiting for the payments infrastructure to change."

Carr's comment confirms that the PCI standards are minimal, and that the 
actual industry standard for security is much higher, the complaint 
alleges. "Heartland executives were well aware before the Data Breach 
occurred that the bare minimum PCI-DSS standards were insufficient to 
protect it from an attack by sophisticated hackers," the document says. 


Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods