I saw an interesting article in Network World, which basically questions PCI's effectiveness in the wake of the RBS and Heartland breaches. In a post I wrote earlier this week, "In God We Trust, Visa/MC is Another Issue(r). I wrote:
The "Mother of All Hacks" will never be Heartland Payment Systems. It will be the electronic payment system at it's very core. Whether it's Visa, MasterCard or NACHA, if any of these system are breached, it's the end of e-payments as we know it. Do they know it?"
I'm aware of someone else who knows it....in this article, Avivah Litan points out some very interesting facts, some of which I've included below. To read the entire article, click the Network World link below:
Heartland breach raises questions about PCI standard's effectiveness - Network World
The "Mother of All Hacks" will never be Heartland Payment Systems. It will be the electronic payment system at it's very core. Whether it's Visa, MasterCard or NACHA, if any of these system are breached, it's the end of e-payments as we know it. Do they know it?"
I'm aware of someone else who knows it....in this article, Avivah Litan points out some very interesting facts, some of which I've included below. To read the entire article, click the Network World link below:
Heartland breach raises questions about PCI standard's effectiveness - Network World
It's not yet known if Heartland Payment Systems' newly disclosed data breach will count as the largest card heist ever. But some analysts say what is clear is that the Payment Card Industry data security standard that Visa and MasterCard require isn't sufficient to ensure cardholder data is safeguarded.
"Billions is being spent on PCI compliance, but it isn't really working," says Gartner analyst Avivah Litan. "PCI's dirty little secret is that it doesn't mandate encryption inside a private network because then all the processors would have to encrypt."
Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered, in which cyber-criminals tapped into a monthly stream of 100 million debit and credit cards for several months using malware installed on processing computers.
"The processors are definitely being targeted," Litan says, noting that once a breach occurs, it can have a terrible impact on business. CardSystems, which suffered a data breach in 2005, was basically put out of business as a result of it.
Editor's Note: Speaking of impact, will Heartland ever recover from this nightmare? There's definitely a black cloud hanging over it. Yesterday their stock went into a free fall, ending 42% lower than it started out. I expect a significant merchant attrition impact, so even if they do come out of it, it won't be as the nations 6th largest acquirer. At the end of the day, I believe what determines Heartland's survival, is whether they (or their lawyers) can get Visa/MC to cover the banks cost of replacing all the debit/credit cards.
You might think that the fact that they were PCI certified and that the data was encrypted when it left the building, but unencrypted at the V/MC level would provide fodder for a good argument. I have the sneaky feeling that the "dynamic duopoly" will hold that Heartland is liable. It's going to messier before it gets prettier, no doubt.