From The Editor | February 9, 2009

Could Heartland's Breach Happen To You?

Without A Queue

Four top PCI compliance experts address your concerns about future data breaches, liability, PCI compliance, and the possibility of government intervention.

By John Roach, Editor, Retail Solutions Online

Retailers' fears over data security and PCI compliance were realized again last month when payment processor Heartland Payment Systems announced that hackers had used malware to infiltrate the company's system. The breach compromised up to 100 million payment card transactions, 250,000 businesses, and an as-yet unknown quantity of card numbers, making it perhaps the largest data breach ever reported. (Heartland, according to a company press release, does not yet know how many card numbers were obtained and calls some reports about the scope of the breach "speculative.")

PCI compliance and data security have become hot-button topics for retailers over the past two years as a result of major data breaches at RBS WorldPay Inc., Hannaford Bros Co., and TJX Companies Inc, among others. Retailers' concerns about these issues include: fear of devastating financial losses, questions of liability, the likelihood of future breaches, the effectiveness of their own compliance efforts, and the possibility of government intervention.

I recently spoke to several top PCI compliance and data security experts about what the Heartland breach means for the industry, how susceptible retailers are to similar attacks, and what retailers need to do to protect themselves. They included Dave Taylor, founder of PCI Knowledge Base (; Dave Shackleford, chief security officer of Configuresoft's Center for Policy and Compliance; Ed Rarick, PCI Evangelist at Tripwire Inc.; and Scott Laliberte, a managing director with Protiviti Inc.'s Global Information Security Practice.

Does Heartland's breach — and other recent data breaches — undermine the credibility of PCI compliance?

Dave Taylor, PCI Knowledge Base: PCI compliance does not guarantee data security. Companies need to be honest and not kid themselves that what they're doing with regard to PCI compliance will necessarily prevent breaches. Security breaches can occur in spite of PCI compliance because the hackers are bad people — and they're smart.

Retailers need to look at their available funds and implement as many security measures as they reasonably can afford beyond basic compliance, aim to be commercially reasonable in their efforts. With budgets cut and staff reduced, companies have tough choices to make, and people may be inclined to "grade on a curve" when it comes to assessing and addressing their risk. But the last thing you want to do is lie to yourself, or you'll be completely unprepared if something does happen.

Scott Laliberte, Protiviti: Everyone is looking and hoping they're not the next victim, and trying to figure out what they can do to make sure a security breach doesn't happen to them. The fact that Heartland was PCI-compliant has people thinking: "I'm PCI-compliant. Am I still at risk?" PCI compliance alone isn't the silver bullet to ensure that you're not going to have a breach.

Does PCI compliance give retailers a false sense of security?

Dave Shackleford, Configuresoft: Absolutely. But here's the optimistic viewpoint, and I think it's the right one: PCI is a helluva lot better than nothing. Before PCI compliance, a lot of companies were doing the very bare minimum in terms of data security. Compliance mandates are meant to be a starting point. Even PCI compliance, which is largely considered to be a more exhaustive and comprehensive technical range of controls and practices, is still only a foundation that you build on.

Remember, PCI compliance initiatives are a snapshot in time. An auditor performs his assessment, works through his checklist, and then goes away for a year or six months. But things move real fast in the world of IT. I guarantee you, two weeks after the auditor has left, significant changes are occurring in those environments. And often times, those changes could completely throw off the compliance stature of those IT organizations. Don't forget, Heartland was PCI-compliant.

So does that mean that more data breaches are inevitable?

Ed Rarick, Tripwire: Yes, and more are happening now than people realize. The Heartland breach is just so big, which is why it makes worldwide news.

Shackleford: The scary thing about Heartland is not so much that they had a breach. People have breaches. They clean them up, work around them, deal with them, and move on. Look at TJX; they're still doing great. The scary part is that, from what I've read — and we don't know all the details yet — Heartland doesn't know how the hackers got in and how long they were in. That is a much scarier thing.

What should retailers do in response to the Heartland breach and likely future breaches?

Laliberte: Quite a few retailers took a "check-the-box approach" to PCI compliance — they strove to get the minimal level of control in place to comply and to avoid possible fines. Hopefully, the Heartland breach makes them realize they need to look at a couple of things. One would be a broader program where they assess their risks overall and, as far as PCI control, mitigate those risks. Also, hopefully they'll look at a maturation of some of these PCI controls. This breach really stresses the fact that if companies get more robust, automated processes — rather than manual ones — to reach control objectives, then the processes will be less likely to break down.

Shackleford: A friend of mine in the FBI has a line: "The hacker only has to be right once." It's a grim statement, but it's true. The key is, you have to figure out what the hackers are usually right about and focus on reinforcing those areas. The vast majority — 95%-plus — of chinks in the armor that hackers use to get in are not complicated to protect. Breaches usually come down to one of three things: The company misses a patch, doesn't lock down the system effectively, or uses poor coding practices.

Rarick: Retailers need to quit thinking of PCI compliance as a way to avoid a fine. The first step toward having a commitment to good data security is to have the right tone at the top of an organization. Doing things right is a mindset. I had an engineer tell me once, "If you manage by the month, you slip by the month. If you manage daily, you slip daily." The same thing is true here. You're not going to stop people from hacking. They're going to get in. But if you have the right commitment and approach to data security and detect unauthorized changes within three hours, it's a whole lot easier to handle than if you find them in three months. Waiting until just before your audit to worry about PCI compliance is like mowing your lawn once every four months — it's a lot harder to complete the task.

Is a retailer who uses a service provider for PCI compliance free of liability in the event of a breach?

Taylor: Just because you're sending data elsewhere doesn't mean you're sending the liability elsewhere. People are a little unclear on that. A lot of retailers rely completely on service providers — and they shouldn't do that without performing appropriate due diligence. You should audit your service providers. Considering all of the different places and companies that have access to your data, a third-party audit of your provider doesn't cost very much. Low-cost projects like that are worth the money.

Are the current PCI standards lacking?

Rarick: PCI DSS Version 1.2, which took effect Jan. 1, 2009, has one big change that's relevant here: It aims to make Qualified Security Assessors (QSAs) more uniform in their interpretation and implementation. As a result, Version 1.2 also comes with more enforcement and punishment for the assessors themselves.

Laliberte: PCI compliance, in general, is a great idea, and all of the recommended controls are good ideas. But I've found that organizations can get tangled up trying to get all of the controls in place and operating effectively. It takes a lot of money and a lot of time.

I think it's time for PCI compliance to undergo a transformation, similar to what the SEC and PCAOB [Public Company Accounting Oversight Board] did for Sarbanes-Oxley Section 404 compliance with the Interpretive Guidance to Management and Auditing Standard No. 5 [in 2007]. Let's concentrate our focus on the key controls that are going to count and really prevent a problem. With Version 1.2 of the PCI standard, we're up to 248 controls — there were 235 in Version 1. It seems like we're going the wrong direction.

Of those 248 controls, there is probably a subset of 50 to 100 that are the real key controls. If you have them in place and operating effectively, you're going to cut down on 95% or more of the potential breaches. By concentrating on a smaller number of controls that really matter, companies could invest significantly in them and make them more robust, more mature, and more effective. That approach worked with making Section 404 compliance more focused and effective. It can work here, too.

Will the government intervene and take over PCI compliance?

Taylor: The government could take over PCI , but why would it? Heartland wasn't big enough. There would need to be multiple major breaches in the space of two or three months. If that happens, then you might have evidence that the whole PCI compliance infrastructure industry is going to hell in a handbasket. And still there would be a few steps between the government holding hearings about PCI compliance and it taking over the whole system.

Shackleford: Government is keeping a very wary eye on this industry and its compliance regulation. There's good and bad with that level of scrutiny: For retailers, initially it would be good because there would be some immediate and dramatic changes that would probably help the people that need the help the most — the retailers. The negative side of government-regulated PCI compliance is that it would enter the lumbering machine known as government bureaucracy, and then who knows how often the compliance standards would get updated and whether they would still stand as best practices.

Have a comment about this article? Let me know. Contact me at