Compliance Doesn't Necessarily Mean You're Safe
Kevin Albright - Product Marketing Manager
By now I’m sure you’ve heard about last week’s breach at Heartland Payment Systems. The number of total records compromised has not yet been released, but given California’s SB 1386 we should be hearing some sort of estimate soon. What is known is that Heartland has contacted 150,000 merchants that it processes payments for and it handles roughly 100 million credit card and debit card transactions per month. Given that this breach is suspected of starting in October 2008, the quick and dirty math should give you a rough estimate of how big this breach is…Huge! Already companies have been contacting customers, issuing new cards, and we are all put on alert to watch our credit card and debit card statements in the coming months.
The interesting thing about this breach is that Heartland was PCI compliant, and that the nature of this breach fell within the rules of the PCI-DSS v1.2 published October 2008 (ironically the same month the suspected breach began). Reportedly malicious software found its way into Heartland’s data center and began sniffing traffic off private leased lines carrying transactions between systems. This traffic was unencrypted and an easy target for a simple sniffer program extracting credit card numbers in the plaintext transmissions. The malicious program then sent the gathered credit card information to a collector system (I wonder if they encrypted it?). Visa and MasterCard contacted Heartland last month on reports of numerous fraudulent charges on cards that had been processed by them.
PCI-DSS standard v1.2 requirement 4.1 states “Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.” It also requires encryption when transmitting over wireless networks and when using end-user messaging technologies such as e-mail, chat and IM. However, the standard does not require any form of encryption when transmitting credit card data across private network segments as was the case at Heartland.
Heartland’s website 2008breach.com posted the following statement in its press release on January 23rd, ”For the past year, Carr has been a strong advocate for industry adoption of end-to-end encryption — which protects data at rest as well as data in motion — as an improved and safer standard of payments security.”
Beyond the failed Secure Electronic Transactions, or SET, initiative of the 1990’s that attempted to ensure that the data is secured between merchant and processor when transmitted over ‘insecure networks’, the simple inclusion of encryption in these transactions whether over ‘secure’ or ‘insecure’ networks could have prevented this incident altogether.