Blind faith in PCI compliance leaves financial data exposed

The indictment of Albert Gonzalez for the theft of 130 million credit and debit card details from Heartland Payment Systems caught the headlines recently. Not for the indictment in itself or that Heartland’s security defences had been bypassed, but for the fact that the company had been declared PCI compliant by Qualified Security Assessors in April 2008.  What was worrying about the case were the subsequent statement from CEO, Robert Carr, dismissing the value of PCI: “The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever.” An audit doesn’t make you secure; it ensures you are meeting a minimum requirement at a given point in time. Carr’s protestation is akin to saying there is no point in having a law around seat belts!

Although it is mainly the retail industry that is up in arms over the data hack, financial institutions should be aware of the knock-on effect of a breach like this.  One credit union put the total from fraudsters using these stolen card numbers at nearly $70,000 per card. The lesson learnt from the ongoing Heartland/PCI debate shouldn’t be that PCI is seen to have failed Heartland; it is that compliance does not automatically equal a high grade security posture and all companies (financial and retail alike) must take full responsibility for that.

The fact of the matter is that the majority of people concerned with compliance are driven to look at just the requirements of the specific piece of legislation. Compliance does not - and can not - immediately result in a secure IT estate.  When it comes to risk, it’s worth remembering that a secure environment is multi-faceted and requires technology, people, process and policy to help businesses decide how to mitigate to a level they are comfortable with.