Heartland breach raises questions about PCI standard's effectiveness

Heartland breach is the latest in global fraud epidemic, follows RBS Worldpay breach disclosure in December

While it's not yet known if Heartland Payment Systems' data breach will count as the largest card heist ever, some analysts say what is clear is that the Payment Card Industry (PCI) data security standard isn't sufficient.

It's not yet known if Heartland Payment Systems' newly disclosed data breach will count as the largest card heist ever. But some analysts say what is clear is that the Payment Card Industry data security standard that Visa and MasterCard require isn't sufficient to ensure cardholder data is safeguarded..


Watch a slideshow of 10 worst moments in network security history.


"Billions is being spent on PCI compliance, but it isn't really working," says Gartner analyst Avivah Litan. "PCI's dirty little secret is that it doesn't mandate encryption inside a private network because then all the processors would have to encrypt."

Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered, in which cyber-criminals tapped into a monthly stream of 100 million debit and credit cards for several months using malware installed on processing computers. 

But Litan notes the complex interconnections among payment-card processers, merchants and banks would make point-to-point encryption extremely unwieldy. End-to-end application-level encryption might be more feasible where card data is originated.

The irony, Litan says, is that some retailers today do encrypt data in motion inside their private store networks (even though it's not mandated by the PCI standard) and they have to decrypt it before they send it to their processors.

Heartland was compliant with PCI, certified by PCI assessor Trustwave in April, but PCI compliance isn't stopping the wave of attacks against payment processors, Litan notes. She points out that the PCI standard does include a requirement for file-integrity checking at least weekly, so something may have broken down in that area that allowed the malware to remain unnoticed for so long.

It's not just Heartland under attack, Litan notes.

Atlanta-based RBS WorldPay, the U.S. payment processing arm of the Royal Bank of Scotland Group, in late December also disclosed its network had been breached. Personal information on about 1.5 million cardholders and other individuals may have been affected as well as 1.1 million Social Security numbers of individuals.

A spokesperson at RBS WorldPay today said the breach was first identified on Nov. 10, and it took more than a month to make a basic determination of what was impacted and to reach out to customers. The FBI is involved in the case, the spokesperson adds.

"The processors are definitely being targeted," Litan says, noting that once a breach occurs, it can have a terrible impact on business. CardSystems, which suffered a data breach in 2005, was basically put out of business as a result of it.

The PCI Security Standards Council late last year began discussing how end-to-end encryption might be accomplished for the industry. The Council did not comment this week on the Heartland data breach except to issue a statement saying: "As the Council does not monitor or track compliance, nor does it engage in forensics investigations, we do not have insight into the details of any specific breach." The Council said it would be "inappropriate" to discuss it.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies