AOH :: ISNQ5799.HTM

Update: Heartland breach shows why compliance is not enough




Update: Heartland breach shows why compliance is not enough
Update: Heartland breach shows why compliance is not enough



http://www.computerworld.com/s/article/9143158/Update_Heartland_breach_shows_why_compliance_is_not_enough?taxonomyId=17 

By Jaikumar Vijayan
Computerworld
January 6, 2010

Nearly a year after Heartland Payment Systems Inc. disclosed what turned 
out to be the biggest breach involving payment card data, the incident 
remains a potent example of how compliance with industry standards is no 
guarantee of security.

Princeton, N.J.-based Heartland last Jan. 20 disclosed that intruders 
had broken into its systems and stolen data on what was later revealed 
to be a staggering 130 million credit and debit cards. That number 
easily eclipsed the 94 million cards that were compromised in the 
massive breach disclosed by TJX Companies Inc. in 2007.

However, it wasn't just the scope of the Heartland breach that made it 
remarkable, but also the company's insistence that it was certified as 
fully compliant with the requirements of the Payment Card Industry Data 
Security Standard (PCI DSS) when it was compromised.

In public comments after the breach, Heartland CEO Robert Carr 
emphatically claimed the intrusion occurred even though the company had 
implemented every single one of the security controls mandated by the 
PCI standard. In an interview with Computerworld last June, Carr said 
the breach pointed to both the sophistication of the attacks against 
Heartland and the inadequacy of relying on PCI controls alone for data 
security.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods