Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
Data theft sparks another debate about standards
MADISON, Wis. (1/30/09)--Credit unions monitoring the Heartland Payments Systems data breach may wonder how it happened to such an extent that an estimated 100 million cards might be compromised. The breach has reopened the debate about security standards, and several experts are questioning whether the Payment Card Industry Data Security Standard (PCI DSS) is enough. The PCI standard is a set of security controls mandated by major credit card companies Visa and MasterCard for companies handling or processing credit and debit card information. The Heartland breach, like a Hannaford Bros. breach in 2008, involved data enroute to a payments system. Both companies were apparently compliant with PCI DSS. Hannaford had been deemed compliant by the credit card companies about three months before it announced its data breach. Heartland, based in Princeton, N. J., was certified by Trustwave, a PCI assessor, as PCI -compliant in April, according to Gartner analyst Avivah Litan (NetworkWorld Jan. 22). Because it is a payments processor, as opposed to a retailer or merchant, Heartland is expected to have stronger controls for preventing, detecting and responding to system breaches, said ComputerWorld Jan. 22). The breach apparently occurred when hackers planted a "sniffer" code for malware aimed at capturing information as data moved through Heartland's network and removing the data from the network in encrypted data streams. How could such a thing happen? Litan suggested to ComputerWorld that Heartland may not have routinely monitored its files' integrity for unauthorized content. Others say it may not have used all the security controls required by the PCI standard, such as analyzing its log data from its firewalls and intrusion prevention systems. Litan told NetworkWorld that PCI doesn't mandate encryption inside a private network because then all the processors would have to encrypt. But, she added, the complex interconnections among payment card processors, financial institutions and merchants would make point-to-point encryption unwieldy. End-to-end application level encryption, however, might be more feasible at the origin of the card data. Some retailers encrypt data in motion inside their store networks but then have to decrypt the information to send it to their processors. The Heartford breach "should make one thing clear: the standards for security around credit card numbers still aren't good enough," said Luther Martin, a solution architect with Voltage Security, writing in Help Net Security Jan. 29. The PCI standard "is a good first step, but it's not quite enough," he said. However, that doesn't mean that the standard has grown irrelevant, according to tech writer George Hulme in InformationWeek's Security Weblog (Jan. 27). "Being compliant to any mandate won't make one secure," Hulme wrote, adding that building a secure and sustainable infrastructure is important. Retailers, manufacturers and health care providers typically have the least mature security programs, he said. Still, the PCI standard has raised the security level, especially in the retail industry. But, Litan said, the payments processors are "definitely being targeted."


RSS print
News Now LiveWire
Goodwill Industries latest to report data security breach http://t.co/gIaXNsT4Bk
5 hours ago
CUNA economist Schenk discusses regulators' focus on interest-rate risk. See CU Magazine: http://t.co/tW1p9rTSSv
7 hours ago
Fed issues annual report on general-use prepaid cards in gov't-administered payment programs. http://t.co/3zPhejSPZt
7 hours ago
Children in foster care face higher risk of identity theft via @NBCNews http://t.co/Dif0hCfBdA
7 hours ago
.@Cornerstone_CUL's leadership conference includes food drive for San Antonio food bank http://t.co/h2O8O4TxuD
8 hours ago