It was a heist for the ages. In late December 2007, a notorious international cyber gang exploited an SQL vulnerability on a web-facing application belonging to Heartland Payment Systems, the nation's sixth largest credit card processing firm. The flaw dated back to the early 2000s and allowed the hackers to burrow their way into the company's payroll services arm, says Bob Carr, Heartland's chairman and CEO, who founded the company in 1997.
But that was just a means to an end, he would learn. "This was a website that they could get into, and we immediately knew they got into it," Carr recalls. "We thought we had protected ourselves, but we didn't do enough."
Apparently, the intruders had their eyes set on a bigger prize, namely Heartland's core business, which processes roughly 100 million card numbers each month for its 250,000 merchant customers. By mid-May 2008, and unbeknownst to Heartland's security team, the hackers used their initial entry point to land on the company's internal network, where they began plundering card numbers.
Nine months passed before Princeton, N.J.-based Heartland detected the malicious software that the crooks were using to sniff the unencrypted transaction data. By then, it was too late. One week later, on the day in January that Barack Obama was sworn in as president, Heartland disclosed the breach.
When the smoke cleared, the impact was staggering: An unknown number of card numbers were stolen - some estimates place the count in the hundreds of millions. Hundreds of banks were forced to reissue cards to customers. Countless incidents of fraud were linked to the intrusion. Twenty-eight class-action lawsuits were filed against Heartland, which suffered more than $12 million in breach-related losses in the first quarter of this year alone. Almost immediately, the company's share price plummeted more than 50 percent - and has recovered only minimally since.
The incident is believed to be the largest data-loss event ever reported, although Heartland officials say they likely will never know the exact extent of the breach. Even so, it was Carr's worst nightmare. "It was devastating," says the CEO, who estimates the breach personally cost him about $100 million in stock losses. "The worst thing that can happen to a payment company is to be breached. I didn't sleep at all for a couple of days."
But if Carr was forced to find a silver lining, it may be that the incident prompted renewed discussion over the effectiveness of payment industry guidelines. These were first unveiled in 2006 as the Payment Card Industry Data Security Standard (PCI DSS) by the five major global card brands as a way to ensure merchants and service providers applied uniform security controls to their payment systems.
Under the requirements of PCI, card companies that process more than one million annual credit card transactions are required to validate compliance. The standard is billed as the most prescriptive data security framework in the marketplace, containing 12 major requirements and more than 200 sub-requirements.
Heartland, Carr says, passed its annual assessment with flying colors just days before hackers began stealing card numbers. But, he says, the standard doesn't go far enough and requires too much human involvement. For instance, PCI does not mandate the encryption of data flowing over private networks, which is where the hackers lifted the Heartland data.
According to the Identity Theft Resource Center, in 2008, 39 percent of identity theft victims said their stolen credit and debit cards were used to make fraudulent charges, up from 15 percent in 2007. Payment experts, such as Avivah Litan, a vice president and distinguished analyst with Gartner, say that for fraud rates to decline, the payment infrastructure needs a makeover, which means transferring at least some of the risk back to the banks and the card brands.
"[PCI] is patchwork and piecemeal," Litan says. "You need to fundamentally upgrade the payment security system. It's unrealistic to rely on six million merchants to secure their systems. They're not in the security business."
Assessment process criticism
Heartland was deemed PCI-compliant on April 30, 2008, just two weeks before the attackers began sniffing card data, Carr says. But, according to Visa and MasterCard, something changed during that fortnight which forced Heartland out of compliance. Consequently, not long after the breach was revealed this year, the two card brands temporarily removed Heartland from their list of service providers compliant with PCI.
Still, the fact that Heartland had received its necessary checkboxes just days before the hackers began siphoning data made Carr believe the assessment process was broken.
"It tells me that anyone who thinks audits are worth the paper they're written on is misinformed," he says. "They give you a false sense of security."
Rich Mogull, founder of Phoenix-based security consultancy Securosis, says this is not the first time a company has suffered a major breach after it was assessed as PCI compliant - only to have the card brands contend that it actually was not in line with the rules.
Mogull says the time has come for the PCI Security Standards Council, the body charged with administering the standard and encouraging its adoption, to take a stand. "They go in and investigate afterward, and they always find something wrong," Mogull says. "You either need to change the standard and stop passing these organizations as compliant, or you need to fess up that this is not a perfect standard."
The main issue, he says, is a lack of strong accountability for assessors who greenlight companies that turn out to be non-compliant. He says qualified security assessors (QSAs) approved by the PCI Council that do so must face stiff penalties - or be dropped from the approved list entirely. Mogull also suggests requiring that organizations undergo multiple audits in a given year.
Litan agrees: "Of all the issues I hear from my clients, the quality of the assessor is the biggest one," she says, noting that many assessments are very easy to pass and performed by ill-equipped firms.To combat some of these concerns, the PCI Council last November implemented a quality-assurance program to supervise the approximately 190 QSAs. Under the program, the assessors essentially undergo their own audit. The council asks for redacted copies of their actual reviews of merchants and service providers to ensure the testers are "doing everything that needs to be done, as opposed to just checking the box," says Bob Russo, the council's general manager. If the QSA fails to make a certain grade, they are placed on probationary status. Depending on their score, they are given between 30 and 180 days to correct the deficiencies or risk being permanently removed as an approved vendor. So far, at least four firms have been forced into remediation.?
What happened at Heartland?
In the case of Heartland, Trustwave, a leading provider of PCI services worldwide, was the QSA. After revelation of the breach, Heartland replaced Trustwave with VeriSign.
"We had a contract with Trustwave that prohibits us from suing," Carr says. "Are we unhappy? Yeah, we're unhappy. It doesn't look good to have an audit on April 30 and a couple of weeks later get data stolen."
Robert McCullen (right), CEO of Chicago-based Trustwave, says he was never notified by the PCI Council that his firm did anything wrong. Russo says there has never been a case where a company has been breached and then forensics pointed to assessor negligence.
"There is no evidence that I have that there was even an issue with the QSA," Russo says of the Heartland breach. "The only evidence I see is that they [Heartland] were noncompliant. If it was me that was breached to this extent and there was something so inherently wrong with the PCI program, I would be standing on a chair pointing to the exact requirement that is screwed up. And Heartland is not doing that."
McCullen says he supports the council's harsher stance on assessment accountability. But, he says, the burden for compliance ultimately falls on merchants and service providers, such as Heartland.
"This can't be a witch hunt," he says. "It has to be shared responsibility. Merchants and service providers have to maintain that level of compliant status throughout the year. We're not there after we leave."
Russo says the standards are more about security than compliance. To achieve that, merchants and service providers must apply constant vigilance to meeting the guidelines. "We have a board of advisers and one of the guys on the board is very fond of telling the other guys on the board that he is one control change away from being out of compliance," he says. "You can point the finger any place you'd like, but it's your responsibility to protect the data."
The card brands take a similar stance, saying PCI provides "minimum security requirements."
"The QSA may or may not identify everything that is addressed in PCI DSS," admits Jennifer Fischer, senior business leader in Visa's payment system risk division. "It may not be an exhaustive review of every system in the merchant's entire network. It really is the responsibility of the organization to make sure they're compliant."
Eduardo Perez, global head of data security at Visa, says his company has worked hard to educate and train merchants on this fact. One of the most pivotal parts of the data security message, though, is that retailers shouldn't hold on to information that they don't need.
Looking beyond PCI
Carr supports the PCI requirements, but says they require the type of round-the-clock monitoring that is asking too much of most businesses. That is why he has used the monster breach as a way to publicize the need for the payment industry to adopt end-to-end encryption technology, which will mask credit card data at rest and in motion across five "zones," from the moment it is swiped at the retailer's point-of-sale device all the way through the handover from the processor/acquiring bank to the card issuer.
"PCI is a necessary standard, but the bad guys know how to get around a lot of the parts of it," Carr says. "And PCI standards require human beings to do certain things on a 24/7 basis, and human beings aren't perfect. If you encrypt data from the time that the card is swiped through the entire system, there are fewer points where you are vulnerable. You also have less to worry about with an insider."
Encryption is key
Heartland recently completed the first phase of the pilot program of the so-called E3 encryption technology, developed in partnership with Voltage Security, and the processor hopes its merchant customers will purchase the product. The project was actually underway before the breach occurred.
Gartner's Litan says the time has come for merchants and banks to consider technologies that aren't required under PCI, such as end-to-end encryption, card chip technology and dynamic cardholder authentication.
"Every other country is doing it," she says. "Of course, no one wants to spend money on anything. Even with all these breaches, someone is going to have to bring our payment system to its knees before banks succumb."
But Carr isn't so convinced, at least on the retail side of the payment chain. "For years, I've been hearing that merchants won't spend money to upgrade the system," he says. "I do believe merchants will spend the money to upgrade their system to greatly reduce their exposure to the problem and reduce the cost of being PCI compliant."
The card brands, meanwhile, can chip in by helping to set standards for new technology and ensuring that the solutions are supported across the payment network, Litan says. The PCI Council is awaiting a report from professional services firm PricewaterhouseCoopers, which has been charged with reviewing "different technologies to see how to make the standard more robust," Russo says. Initial findings are due this month.
In addition, Carr also intends to serve as a spokesperson for transaction security, helping to form the Payments Processor Information Sharing Council. The goal of the group, ultimately, is to keep processors, acquirers and retailers one step ahead of the hackers.
"They're picking us off, one by one," Carr says. "The cybercriminals talk to each other. They have chat rooms to talk about what works and what doesn't."
He adds that he now feels a different level of responsibility. "We've taken a major hit. Why not do anything I can do to make sure this doesn't happen to someone else?"
Carr is serious about his transparency. At the group's first meeting earlier this year, each of the 50 attendees received a USB stick. On it sat a copy of the very malware that the hackers planted on Heartland's system.
Bob Carr, Heartland Payment System's chairman and CEO, is speaking at SC World Congress next month in New York. Click on www.scworldcongress.com for more information.
Upside: Criminals won't have access to the one-time passcode; particularly beneficial for online transactions.
What is it? It replaces card numbers with a token or a unique reference number or symbol.
Upside: The token can't be used to make fraudulent purchases, thus providing no value to attackers.
Downside: Cost; complexity, as a large number of applications may need to be revamped.
– Dan Kaplan
Concern Assessors aren't held accountable if they perform shoddy work.
Rebuttal The PCI Security Standards Council implemented a quality-assurance program to grade assessors. If they receive poor marks, they are put on probation until they fix their flaws.
Concern Assessors are able to sell security solutions to the retailers and service providers they review for compliance – a major conflict-of-interest.
Rebuttal No merchant is required to purchase security products and services from their assessor. And all must agree to an “independence clause” that says they must notify their customers that other companies also offer similar solutions.
Concern Merchants can find a cheap assessor to validate them as compliant.
Rebuttal All assessors must meet certain requirements and have payment experience to perform the reviews.
– Dan Kaplan