http://www.computerworld.com/s/article/9143158/Update_Heartland_breach_shows_why_compliance_is_not_enough?taxonomyId=17 By Jaikumar Vijayan Computerworld January 6, 2010 Nearly a year after Heartland Payment Systems Inc. disclosed what turned out to be the biggest breach involving payment card data, the incident remains a potent example of how compliance with industry standards is no guarantee of security. Princeton, N.J.-based Heartland last Jan. 20 disclosed that intruders had broken into its systems and stolen data on what was later revealed to be a staggering 130 million credit and debit cards. That number easily eclipsed the 94 million cards that were compromised in the massive breach disclosed by TJX Companies Inc. in 2007. However, it wasn't just the scope of the Heartland breach that made it remarkable, but also the company's insistence that it was certified as fully compliant with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) when it was compromised. In public comments after the breach, Heartland CEO Robert Carr emphatically claimed the intrusion occurred even though the company had implemented every single one of the security controls mandated by the PCI standard. In an interview with Computerworld last June, Carr said the breach pointed to both the sophistication of the attacks against Heartland and the inadequacy of relying on PCI controls alone for data security. [...] ________________________________________ Did a friend send you this? From now on, be the first to find out! Subscribe to InfoSec News http://www.infosecnews.orgReceived on Thu Jan 07 2010 - 00:37:11 PST
This archive was generated by hypermail 2.2.0 : Thu Jan 07 2010 - 00:59:32 PST