If you needed to get bad news out, today was the day. With the world watching the inauguration of President
elect Barack Obama, Heartland Payment Systems announced a mammoth breach of their security. Heartland who you ask? New York readers can breathe a sigh of relief - this is not Heartland Brewery and the credit card you use to pay your tab is safe. But on second thought that card number might not be so safe after all. Heartland Payment Systems is the 6th largest credit card processor in the country and serves no less than 250,000 locations. There's a good chance your credit card number is floating somewhere in their system even if you have only ever used it to buy an occasional beer.
We don't know much about the breach right now; in fact, most people don't know much about Heartland (it's wikipedia entry is two sentences long as of today, but that's bound to change in the coming days).
We are going to be hearing a lot about this breach, and it will follow TJMaxx, Hannaford, and other looseners of the security purse strings into the salespitch of every information security consultant.
But for now we know very very little about what actually happened. We can't conclude much on the very flimsy information we have, but here goes-
Obvious lesson #1: payment processors are a very attractive target for criminals. Their resources-to-sensitive data ratio is relatively low (in relation say to a bank), which makes them a softer target. They also process pure gold - attackers do not need to sift through mountains of other data and complex architectures they might encounter elsewhere.
Obvious lesson #2: the PCI system as it is currently implemented does not stop every attempt to steal credit card data. Like Hannaford before it, Heartland was PCI certified (by Trustwave, according to the Payment Systems Blog).
The fact that PCI ≠ end-of-all-data-breaches-for-eternity has not stopped the renewed calls for PCI to be revamped, eliminated, or replaced. In an interview with Computerworld Avivah Litan of Gartner says "More radical security moves need to be taken by payments industry as a whole ... Such incidents show that the security requirements of ...PCI DSS being pushed by the major card companies is clearly not enough."
Unless Gartner is privy to some non-public information about this case, that's quite the rush to judgment. The grandiosely named www.2008breach.com - Heartland's official site for breach information - has very scant information on the breach. So on what basis is Gartner saying that the security requirements of PCI DSS are not enough? While that may be the case, I would argue that there are at least a few other scenarios:
1) The PCI DSS requirements are enough to prevent the vast majority of data breaches, and the payment card industry accepts that incidents like this will happen from time-to-time. I don't work for Visa or Mastercard or anyone else in the payment industry, so I have no way of knowing if this is true. But clearly the PCI standards are meant to achieve a reasonable balance between security investment and risk reduction. This incident alone, and others like it, are not in and of themselves evidence that this hasn't happened.
2) The security requirements of PCI DSS are enough, but there was a failure of the enforcement mechanism (ie. QSAs and ASVs and the like). Again, the only detail we really know is something about "malicious software". It may very well be the case that strict adherence to PCI would have prevented this malicious software from getting installed or from being effective.
3) The security requirements are not the problem, but the broad license to introduce and interpret "compensating controls". This has always been an Achilles' Heel of PCI, since it introduces an almost entirely subjective element into the PCI process. There is very little accompanying PCI documentation to define the allowable and appropriate scope of compensating controls.
In the coming days and weeks we will get a better indication of what exactly happened. This breach may well reveal gaping holes in the security requirements in PCI as Gartner claims, but for now my money is on something less radical than that.
And one final thought on the entire PCI process. Because PCI is in such early days, there has never (as far as I know) been any real legal test of the liability mechanisms behind PCI auditing. If Trustwave mistakenly certified Heartland as PCI compliant, does it bear some of the costs associated with this breach? If the answer to this question remains negative, I don't know how we will ever get effective and reliable PCI audits.