What Has the Heartland Systems Data Security Breach Taught Us and is PCI Compliance Enough?

Heartland Security Systems has been slow to release detailed information about their data breach, but we know that after being notified from VISA about a high number of fraudulent transactions, it took them at least two weeks to find the source of the problem–malware.  More specifically, a Trojan with the ability to sniff data on its network systems.  What’s significant is the hackers targeted the sensitive magnetic stripe data as it was being transmitted, not information stored in a database.  After all, since one of the core requirements of PCI is that the magnetic stripe data should not be stored, where else can hackers get it, right?

Meeting Minimum PCI/DSS Security Requirements Was Not Enough

According to released reports, Heartland invested in the security products and audit processes required to comply with the Payment Card Industry Data Security Standard (PCI/DSS), but this did little to thwart a serious exposure of consumer credit card data or to help them identify they had been compromised.

Security professionals for the longest time touted PCI/DSS as a reasonable level of care necessary to secure a business handling this sensitive data from being compromised. I believe it has helped tighten security in a lot of ways, but at the same time I also believe it  has given a somewhat false sense of security to many CEOs and corporate security decision makers.

PCI compliance does reduce the risk of security incidents, but it in no way guarantees that an organization is secure.  The fact that the attack on Heartland was only discovered after receiving a high rate of fraudulent transaction complaints is proof that PCI/DSS compliance is not enough to secure, nor that the Heartland-style data breach will not happen again.  It took experts several weeks to find the attack, even with advance knowledge that the malicious code was alive on its network.

PCIs preventive measures could not thwart the attack, and the manual audit performed took weeks to discover the malicious code.

Are hackers just as bold as ever because corporations have been lulled into a false sense of security by regulations like PCI?

I say yes… but bare in mind it is impossible to create an environment where you are 100% protected from a data breach.  Unfortunately without great advancements in technology, data breaches are going to continue for the near future.  What’s important is how you respond, how you detect, and how you manage and mitigate the risk.

In my opinion, the best proactive protection against data breaches is proper employee training and education and implementation of robust security tools on an on-going basis.