Does the Heartland breach prove PCI useless?

by Steve Ragan - Jan 26 2009, 17:50

The news that Heartland Payment Systems, Inc. suffered a security breach that compromised millions of credit and debit card related transactions has by now made some in the security world stand up and take notice. The pundits are alive with speculation, vendors are alive with advice and pitches, and consumers are left with fear. Does the fabled PCI standard simply not work? Does this recent loss of financial data prove PCI has failed?

Should PCI be scrapped? Are the latest breaches proof that PCI is useless?(IMG:J.Anderson)

The first thing you have to remember is that PCI compliance -- no matter what level of financial operation a company performs at -- does not mean that the data, network, or overall well being of the company, is secure. Simply put, bluntly if you will, assuming PCI compliance equals security is stupid.The facts surrounding the breach are established. You can read about them on a Heartland provided Web site. Long story short, Visa and MasterCard raised some red flags and alerted Heartland to suspicious transactions. After an audit, Heartland uncovered Malware (the data-sniffing kind) that allowed thieves to capture credit or debit-card numbers, expiration dates, and in some cases the cardholder’s name.Early reports on the Heartland breach took aim at the company for the timing of the public notice. The announcement of the security violation was published the same day President Obama took office, leading some to claim this was an intentional attempt to bury the story. This line of thought is false, as the timing of the release was nothing more than poor timing.“Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until [Inauguration Day],” said Robert Baldwin, Heartland's president and chief financial officer, in a Washington Post report.“We considered holding back another day,” he added, “but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility.”Some reports took aim at the press release from Heartland, citing the lack of information as well as the choice of information published. For example, the release explained all of the data that was not stolen, but failed to mention the data that was eventually compromised. Not that big of a deal, if you consider it was easy to narrow down the types of data Heartland processes.The problem is that with the data that was stolen, criminals have all they need to clone cards. This is why Heartland has advised cardholders to monitor their credit-card statements. Another issue is that there is no evidence pointing to how long the “sniffers” were active on the Heartland network. Most assumptions claim the Malware existed for months before it was discovered.However, because of the scope of Heartland’s operation, there has been little done to narrow down the list of potential victims. All that's known so far is that Heartland processes an obscene amount of transactions per month. 40 percent of those transactions, according to the company, come from small to mid-sized restaurant operations.No restaurants have been named however, so it could be something as simple as a charge from a mom-and-pop diner to a larger chain restaurant that was compromised.So now that you know how the data was stolen. What the data was. And that there is no solid way to predict if you are a victim in the crime. Should you blame Heartland, PCI regulation, or both?How about none of the above?
"The PCI DSS is not useless but this breach certainly proves that it is imperfect. The PCI DSS has driven many organizations to implement important security controls that provide better protection of card holder data which raise the difficulty level and the resources required for unauthorized access of cardholder data. However, the PCI DSS is imperfect because every organization’s risk profile, processes and systems are different," Gretchen Hellman, vice president of security solutions at Vormetric, told The Tech Herald. "Given that, a strong security program cannot be placed into a universal checklist of items, but needs to come from balancing risk and business impacts with controls. This breach is a primary demonstration that the harder you make security to bypass, the more sophisticated the attacks become. It’s a never ending arms race. Having said that, implementing encryption over sensitive data where-ever possible and reasonable and complimenting those data level controls with monitoring where they cannot be implementing is an essential part of any security program."Heartland was, at the time of the breach, and currently is, PCI compliant. It passed an inspection in April of 2008; this fact only serves to stress the point that PCI compliance does not equal security.The company that certified them, Trustwave, is established as a QSA (Qualified Security Assessors). If you wanted to lay blame on Trustwave for the breach, you would be hard-pressed to prove it. A QSA can only ensure that a company meets or exceeds the requirements of PCI compliance. No QSA can ensure or promise that a company it assesses for is completely secure and defended against attack.PCI compliance, much like the often preached Industry Best Practices of IT, amounts to nothing more than a simple list of baselines. They are something to be used to set a level of security, or rather a level of preparedness. Taking all the steps needed for PCI compliance assures a company no more security than it would get by disabling guest accounts on workstations.To put this into perspective, Requirement 1 of PCI says that a company must install and maintain a firewall to protect cardholder data. In IT, Industry Best Practice tells you to use a firewall to block all incoming and outgoing traffic to the network, allowing only select ports access. This is often referred to as the “block all – allow some” rule in network security.However, meeting the requirement of a firewall properly secured does nothing to prevent security problems on a network. As was the case with the Hannaford breach, the Heartland breach took advantage of problems that were not related to port lockdowns and firewall configurations. The firewall was circumvented by other non-disclosed means. We know this because both Heartland and Hannaford were PCI certified; they had to meet Requirement 1 to earn this certification. So there had to have been another route past the firewalls.So should Heartland be doing anything in the aftermath? It already has, by looking into security upgrades and creating a public Web site, 2008breach.com, for information sharing. Yet, there is a problem with this site. It has become a PR front for the company.Heartland should use 2008breach.com for more than marketing. There is little information online for the public; most of what is will confuse average consumers who only want to know if they are affected by the events.Case in point would be the recent press release posted to the site. While one would expect the new release to be related to the breach, such as contain more information or some details of what to watch for on a credit report, what it offers is pure marketing.The lead off on the release is: “Heartland Payment Systems added more than 400 merchants to its client base in the past few days — exceeding results for the same period from last year.”While you can see this as a positive, people still trust the company despite the breach, this is a moot point; Heartland is so big it’s almost impossible to process credit transactions without it. No, the new announcement is marketing, pure and simple."Our organization and business model founded on fair dealings, transparency and merchant advocacy have paid off these past few days," Robert O. Carr, Heartland's founder, chairman and chief executive officer, stated in the press release."This is demonstrated in the continued organic growth of our merchant base. Despite the headwinds of the economy and attacks by some of our competitors, we have installed new merchants, new payroll clients and new check management clients since our disclosure of the breach on Tuesday morning. Our record of candor, fair dealing, no arbitrary rate increases since our formation almost 12 years ago and superior customer service is highly valued."PCI is not security, while what happened at Heartland should have been detected long before it actually was, becoming PCI compliant did not ensure that the compromised transactions were safe. All PCI compliance did was ensure that the basics were in place and offer a fundamental base for protection. This base protection can, and will always be, suspect, as criminals are smarter than you might expect. If there is a way to make money, they will discover it, and use it.

Comment on this Story

Interested in a more interactive TTH? Join our Facebook Group
Want regular updates from The Tech Herald? Follow us on Twitter

Comment on this Story

Note our older Talkback system is still running below. We hope to import existing comments into the new system shortly. Guest posting is still allowed, however, you can now login with any number of social network accounts.

Talkback

Add your comment (no registration required)

page: 1

godencrantzJan 27th, 2009 - 02:57:33

PCI ultimately will fail. There is technology available that enables the card number on the magnetic swipe to be changed with each use. I believe this is the only method to insure security. Look up www.privasys.com or www.qsecure.com. Both offer technology that make a credit card number history and not personal information.

Report this comment

AdmynJan 28th, 2009 - 15:07:08

PCI is not useless, it is a security measure, not a security solution, being compliant does NOT mean you are secure.

Report this comment

PCI MattersSep 17th, 2009 - 22:15:15

PCI is very relevant and is providing significant preventative controls today that without the work that has been invested in, we would easily see multiple times the compromises we are seeing today. However I think that it could be said that multiple times the amount of the actual breach losses is spent in PCI compliance. One of the major problems is getting this industry to take controls seriously as an ongoing security process.

The industry started 6 years ago as a total joke in terms of data security (not just with regards to card data)with almost no controls and really negligent approaches to information security. PCI was a response to this and in many cases where merchants, service providers, application vendors and processors took security and controls to heart and not just compliance they have made huge strides in information protection. Many of these merchants and service providers have gained huge benefits in process improvements and innovation in IT technology as part of their remediation.

I would say that one area that has failed in PCI compliance alongside merchants not taking it seriously as a process is QSA's that provide negligent assessment work and just execute check list audits. If you look at the recent major breaches you will see Trustwave attached to most of them. They are known to provide cookie cutter, fast-food versions of assessments by junior QSA’s with little experience and customers are left with a false sense of security by achieving their “SEAL” of compliance. Worse yet they try to sell a bunch of managed security services to 'make' them compliant that should be a conflict of interest to start with.

The jist is that if merchants and SP don't take the intent of PCI to heart and address security alongside compliance and don't select a competent QSA that will help them implement a real program then you will see everyone say PCI is failing. The question should be who is failing PCI.

Report this comment

page: 1

Add your comment (no registration required)

Security

Does the Heartland breach prove PCI useless?

Comment on this Story

Talkback

Latest

Latest Articles on Monsters&Critics

In The Tech Herald

Site

The Fine Print