MADISON, Wis. (1/30/09)--Credit unions monitoring the Heartland Payments Systems data breach may wonder how it happened to such an extent that an estimated 100 million cards might be compromised. The breach has reopened the debate about security standards, and several experts are questioning whether the Payment Card Industry Data Security Standard (PCI DSS) is enough. The PCI standard is a set of security controls mandated by major credit card companies Visa and MasterCard for companies handling or processing credit and debit card information. The Heartland breach, like a Hannaford Bros. breach in 2008, involved data enroute to a payments system. Both companies were apparently compliant with PCI DSS. Hannaford had been deemed compliant by the credit card companies about three months before it announced its data breach. Heartland, based in Princeton, N. J., was certified by Trustwave, a PCI assessor, as PCI -compliant in April, according to Gartner analyst Avivah Litan (NetworkWorld Jan. 22). Because it is a payments processor, as opposed to a retailer or merchant, Heartland is expected to have stronger controls for preventing, detecting and responding to system breaches, said ComputerWorld Jan. 22). The breach apparently occurred when hackers planted a "sniffer" code for malware aimed at capturing information as data moved through Heartland's network and removing the data from the network in encrypted data streams. How could such a thing happen? Litan suggested to ComputerWorld that Heartland may not have routinely monitored its files' integrity for unauthorized content. Others say it may not have used all the security controls required by the PCI standard, such as analyzing its log data from its firewalls and intrusion prevention systems. Litan told NetworkWorld that PCI doesn't mandate encryption inside a private network because then all the processors would have to encrypt. But, she added, the complex interconnections among payment card processors, financial institutions and merchants would make point-to-point encryption unwieldy. End-to-end application level encryption, however, might be more feasible at the origin of the card data. Some retailers encrypt data in motion inside their store networks but then have to decrypt the information to send it to their processors. The Heartford breach "should make one thing clear: the standards for security around credit card numbers still aren't good enough," said Luther Martin, a solution architect with Voltage Security, writing in Help Net Security Jan. 29. The PCI standard "is a good first step, but it's not quite enough," he said. However, that doesn't mean that the standard has grown irrelevant, according to tech writer George Hulme in InformationWeek's Security Weblog (Jan. 27). "Being compliant to any mandate won't make one secure," Hulme wrote, adding that building a secure and sustainable infrastructure is important. Retailers, manufacturers and health care providers typically have the least mature security programs, he said. Still, the PCI standard has raised the security level, especially in the retail industry. But, Litan said, the payments processors are "definitely being targeted."