The data breach atHeartland Payment Systemsthat exposed
millions of credit card holders in the US to fraud, proves
regulatory compliance alone is not enough.
Despite being compliant with the
Payment Card Industry Data Security Standard (PCI DSS),
cybercriminals were able to gain access to Heartland's systems.
The criminals installed spy software to steal credit card
details as millions of transactions were processed for an unknown
period from May 2008.
This incident should serve as a wake-up call that PCI compliance
should be used only as a starting point, said Matt Pauker,
co-founder of US-based firm
Voltage Security.
"Achieving PCI compliance does not imply that a business has
achieved real security," he said.
For example, said Pauker, the PCI DSS does not currently require
that credit card data be encrypted on internal networks.
These gaps create excellent attack points for hackers as data is
fully exposed, said Mark Bower, director of information protection
at Voltage.
"The only solution to eliminate this threat is end-to-end
encryption," said Bower.
Only 2.4% of data breaches in 2008 had encryption or other
strong methods of encryption, according to an
Identity Theft Resource Center report.
"It is obvious that the bulk of breached data was unprotected by
encryption," the report said.
The number of credit card details exposed by the intrusion has
not been disclosed, but Heartland handles about 100 million
transactions a month.
In light of these numbers, the Heartland data breach could far
exceed the 45 million identities stolen from nine US retailers
including TJX in 2007.
Heartland claims the security breach has been contained, but
advised credit card holders to examine their statements and report
any suspicious activity to card issuers.
The breach could also affect anyone who travelled to the US in
2008 because Heartland handles credit card transactions for more
than 250,000 businesses there.
Since the breach was revealed by Heartland, several US banks
have cancelled thousands of debit and credit cards to protect
customers from fraud.