In this month’s cover story, we hear from one of our SC World Congress keynote speakers, Heartland Payment System’s CEO Robert Carr. We had some interesting conversations with him leading up to his agreeing to both speak at our event and become a cover story subject for the magazine. The gist of those: The Payment Card Industry’s Data Security Standards (PCI-DSS) and related enforcement mechanisms don’t work; audits by the PCI-approved Qualified Security Assessors (QSAs) often give companies a false sense of security; being PCI-compliant doesn’t mean all systems are safe and sound; and all organizations must work together – just as the bad guys do – to get secure.
None of these thoughts are new, of course. That PCI offers the most prescriptive data security standard available, there are just as many or more views that it’s one of the worst – a vague mandate that provides little return and more headaches for most organizations. And there have been loads of off-the-record complaints from our readers about the value and legitimacy of QSAs associated with PCI, with many stating or implying that some auditors simply provide a stamp of approval when further of their services or products are purchased. (PCI Security Standards Council, unsurprisingly, has enhanced its QSA program requirements and reviews because of these cries of dissent, which we discuss in the story.) On top of this, even if PCI helps organizations get more secure, being found compliant only lasts as long as the organization monitors its network for configuration changes, vulnerability updates, and system updates and implements appropriately. PCI offers a decent baseline, but as at Heartland, Hannaford and other organizations that were deemed PCI-compliant and then experienced breaches, attackers will find ways to break into systems that card issuers and many of the rest of us haven’t even fathomed. So, that leaves us with Carr’s last point.
Carr’s company was PCI-compliant. Attackers still got in. So, in addition to all the steps taken to get in line with PCI, Heartland has intensified its march to safeguard the corporate infrastructure. From network segmentation to end-to-end encryption and data leak prevention, they’re trying hard to cover their bases. But, there’s more to it than that. To Carr, the way to fight cyberattacks is to work together with other organizations, especially as the likes of spear phishing, SQL injections, network and CPU sniffers, stealth trojans, keyloggers and other methods of attack become more evolved, he says. “In addition to making improvements to our own system design to integrate security, companies must work together to help educate one another, share examples of attack types, discuss solutions and policies, and more,” he says. Through Heartland, Carr’s doing this, having formed a payment-processing council that even includes competitors. Working “overtime to play defense” isn’t viable any longer. The way forward: information sharing, the integration of security as a fundamental of business – from a philosophical, technical and policy standpoint, and getting just as organized as cybercriminals all to become just that much more proactive.
Sounds like a plan to me. Let’s get the discussion started. Join us at SC World Congress October 12-13.