The data breach at Heartland Payment Systems that exposed millions of credit card holders in the US to fraud, proves...
regulatory compliance alone is not enough.
Despite being compliant with the Payment Card Industry Data Security Standard (PCI DSS), cybercriminals were able to gain access to Heartland's systems.
The criminals installed spy software to steal credit card details as millions of transactions were processed for an unknown period from May 2008.
This incident should serve as a wake-up call that PCI compliance should be used only as a starting point, said Matt Pauker, co-founder of US-based firm Voltage Security.
"Achieving PCI compliance does not imply that a business has achieved real security," he said.
For example, said Pauker, the PCI DSS does not currently require that credit card data be encrypted on internal networks.
These gaps create excellent attack points for hackers as data is fully exposed, said Mark Bower, director of information protection at Voltage.
"The only solution to eliminate this threat is end-to-end encryption," said Bower.
Only 2.4% of data breaches in 2008 had encryption or other strong methods of encryption, according to an Identity Theft Resource Center report.
"It is obvious that the bulk of breached data was unprotected by encryption," the report said.
The number of credit card details exposed by the intrusion has not been disclosed, but Heartland handles about 100 million transactions a month.
In light of these numbers, the Heartland data breach could far exceed the 45 million identities stolen from nine US retailers including TJX in 2007.
Heartland claims the security breach has been contained, but advised credit card holders to examine their statements and report any suspicious activity to card issuers.
The breach could also affect anyone who travelled to the US in 2008 because Heartland handles credit card transactions for more than 250,000 businesses there.
Since the breach was revealed by Heartland, several US banks have cancelled thousands of debit and credit cards to protect customers from fraud.