The news that Heartland Payment Systems, Inc. suffered a security breach that compromised millions of credit and debit card related transactions has by now made some in the security world stand up and take notice. The pundits are alive with speculation, vendors are alive with advice and pitches, and consumers are left with fear. Does the fabled PCI standard simply not work? Does this recent loss of financial data prove PCI has failed?
The first thing you have to remember is that PCI compliance -- no matter what level of financial operation a company performs at -- does not mean that the data, network, or overall well being of the company, is secure. Simply put, bluntly if you will, assuming PCI compliance equals security is stupid.
The facts surrounding the breach are established. You can read about them on a Heartland provided Web site. Long story short, Visa and MasterCard raised some red flags and alerted Heartland to suspicious transactions. After an audit, Heartland uncovered Malware (the data-sniffing kind) that allowed thieves to capture credit or debit-card numbers, expiration dates, and in some cases the cardholder’s name.
Early reports on the Heartland breach took aim at the company for the timing of the public notice. The announcement of the security violation was published the same day President Obama took office, leading some to claim this was an intentional attempt to bury the story. This line of thought is false, as the timing of the release was nothing more than poor timing.
“Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until [Inauguration Day],” said Robert Baldwin, Heartland's president and chief financial officer, in a Washington Post report.
“We considered holding back another day,” he added, “but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility.”
Some reports took aim at the press release from Heartland, citing the lack of information as well as the choice of information published. For example, the release explained all of the data that was not stolen, but failed to mention the data that was eventually compromised. Not that big of a deal, if you consider it was easy to narrow down the types of data Heartland processes.
The problem is that with the data that was stolen, criminals have all they need to clone cards. This is why Heartland has advised cardholders to monitor their credit-card statements. Another issue is that there is no evidence pointing to how long the “sniffers” were active on the Heartland network. Most assumptions claim the Malware existed for months before it was discovered.
However, because of the scope of Heartland’s operation, there has been little done to narrow down the list of potential victims. All that's known so far is that Heartland processes an obscene amount of transactions per month. 40 percent of those transactions, according to the company, come from small to mid-sized restaurant operations.
No restaurants have been named however, so it could be something as simple as a charge from a mom-and-pop diner to a larger chain restaurant that was compromised.
So now that you know how the data was stolen. What the data was. And that there is no solid way to predict if you are a victim in the crime. Should you blame Heartland, PCI regulation, or both?
How about none of the above?
"The PCI DSS is not useless but this breach certainly proves that it is imperfect. The PCI DSS has driven many organizations to implement important security controls that provide better protection of card holder data which raise the difficulty level and the resources required for unauthorized access of cardholder data. However, the PCI DSS is imperfect because every organization’s risk profile, processes and systems are different," Gretchen Hellman, vice president of security solutions at Vormetric, told The Tech Herald.
"Given that, a strong security program cannot be placed into a universal checklist of items, but needs to come from balancing risk and business impacts with controls. This breach is a primary demonstration that the harder you make security to bypass, the more sophisticated the attacks become. It’s a never ending arms race. Having said that, implementing encryption over sensitive data where-ever possible and reasonable and complimenting those data level controls with monitoring where they cannot be implementing is an essential part of any security program."
Heartland was, at the time of the breach, and currently is, PCI compliant. It passed an inspection in April of 2008; this fact only serves to stress the point that PCI compliance does not equal security.
The company that certified them, Trustwave, is established as a QSA (Qualified Security Assessors). If you wanted to lay blame on Trustwave for the breach, you would be hard-pressed to prove it. A QSA can only ensure that a company meets or exceeds the requirements of PCI compliance. No QSA can ensure or promise that a company it assesses for is completely secure and defended against attack.
PCI compliance, much like the often preached Industry Best Practices of IT, amounts to nothing more than a simple list of baselines. They are something to be used to set a level of security, or rather a level of preparedness. Taking all the steps needed for PCI compliance assures a company no more security than it would get by disabling guest accounts on workstations.
To put this into perspective, Requirement 1 of PCI says that a company must install and maintain a firewall to protect cardholder data. In IT, Industry Best Practice tells you to use a firewall to block all incoming and outgoing traffic to the network, allowing only select ports access. This is often referred to as the “block all – allow some” rule in network security.
However, meeting the requirement of a firewall properly secured does nothing to prevent security problems on a network. As was the case with the Hannaford breach, the Heartland breach took advantage of problems that were not related to port lockdowns and firewall configurations. The firewall was circumvented by other non-disclosed means. We know this because both Heartland and Hannaford were PCI certified; they had to meet Requirement 1 to earn this certification. So there had to have been another route past the firewalls.
So should Heartland be doing anything in the aftermath? It already has, by looking into security upgrades and creating a public Web site, 2008breach.com, for information sharing. Yet, there is a problem with this site. It has become a PR front for the company.
Heartland should use 2008breach.com for more than marketing. There is little information online for the public; most of what is will confuse average consumers who only want to know if they are affected by the events.
Case in point would be the recent press release posted to the site. While one would expect the new release to be related to the breach, such as contain more information or some details of what to watch for on a credit report, what it offers is pure marketing.
The lead off on the release is: “Heartland Payment Systems added more than 400 merchants to its client base in the past few days — exceeding results for the same period from last year.”
While you can see this as a positive, people still trust the company despite the breach, this is a moot point; Heartland is so big it’s almost impossible to process credit transactions without it. No, the new announcement is marketing, pure and simple.
"Our organization and business model founded on fair dealings, transparency and merchant advocacy have paid off these past few days," Robert O. Carr, Heartland's founder, chairman and chief executive officer, stated in the press release.
"This is demonstrated in the continued organic growth of our merchant base. Despite the headwinds of the economy and attacks by some of our competitors, we have installed new merchants, new payroll clients and new check management clients since our disclosure of the breach on Tuesday morning. Our record of candor, fair dealing, no arbitrary rate increases since our formation almost 12 years ago and superior customer service is highly valued."
PCI is not security, while what happened at Heartland should have been detected long before it actually was, becoming PCI compliant did not ensure that the compromised transactions were safe. All PCI compliance did was ensure that the basics were in place and offer a fundamental base for protection. This base protection can, and will always be, suspect, as criminals are smarter than you might expect. If there is a way to make money, they will discover it, and use it.