That's because the Princeton, N.J. firm was certified as PCI DSS compliant, according to Visa. (That status is now, not surprisingly, "under review.")
But whoever these intruders were that got away with potentially tens of millions of credit and debit card numbers being processed by Heartland, they were able to do it without without a stir.
Many experts this week are surmising that the cybercrooks took advantage of a vector that PCI doesn't address: Data traversing over private networks. In the case of Heartland, it appears the vandals were able to insert data-sniffing trojans on unencrypted private lines, which enabled them to siphon the credit card numbers in real time.
The PCI council, charged with administering the standard, will argue that other controls required under the guidelines can prevent this type of attack.. But perhaps it's time to revisit the need to require the encryption of all networks, both public and private.
Meanwhile, Mike Rothman, a former analyst, argues that the council might want to also give a closer look to the monitoring requirements, which, in his opinion, aren't strict enough:
If you are not monitoring configuration, asset, performance, and flow data in addition to logs, you are exposed.
Rothman and others are becoming increasingly critical of PCI because Heartland marks the second high-profile breach in less than a year in which a PCI-compliant company suffered a massive hack. Supermarket chain Hannaford was the other.
The state of Massachusetts, in a report that reviewed the number of breaches that affected state residents in recent months, questioned the effectiveness of mandates such as PCI.
Hannaford had been certified as PCI compliant in 2007 and in February 2008, at the very time, we are told, that the malware interception was taking place! While reasonably up-to-date malware protection might not have been effective against the new and sophisticated malware used in the Hannaford case, encryption of that data would probably have rendered its interception harmless.
And now for the zinger in the report:
The Hannaford incident suggests that the Payment Card Industry Data Security Standards are not an effective standard in light of the need for encryption.
Harsh, for sure. But perhaps not too out of line. Clearly, PCI presents comprehensive and prescriptive guidelines that have been instrumental in forcing companies not in the business of protecting data -- retailers, processors, etc. -- to think about the need to safeguard this stuff. But perhaps it's time for a more robust overhaul.
Or -- and this is more likely -- maybe it's time for organizations to truly grasp the concept that compliance does not equal security. It's a common refrain sung by vendors and analysts alike, but it's true. Compliance is merely a snapshot in time. So if Heartland was deemed compliant last April, as it was, the company could've been way out of compliance by the time the hackers got in. Or maybe even as soon as the next day.
The real worry is that, given the sophistication of the criminal community, 2009 is going to bring a lot of Heartlands.
And if records are made to be broken, TJX has no shot of keeping its title of largest reported data breach.