Enlarge This ImageSometimes what you do know can hurt you.
Ask Heartland Payment Systems Inc., which disclosed a major security breach this year.
The Princeton, N.J., processor passed regular security audits before discovering the breach, and said that these inspections created a false sense that its systems were protected.
Heartland said that by focusing solely on meeting the Payment Card Industy data security standard, companies could fail to meet the more important goal of safeguarding payment card data.
"The audits that are used to determine compliance are very much overvalued, and we overvalued our audits," Robert O. Carr, Heartland's chairman and chief executive, said in an interview this week.
Carr said the audits never revealed the issues that led to the breach — nor did those assessments uncover other security lapses that could have left the company vulnerable to further attacks.
Heartland announced in January that hackers had managed to install a sniffer program in its systems that could observe card data. Carr said the hackers were able to find a vulnerability that the audits never spotted.
And after revealing the breach, Heartland found other security flaws that had also gone unnoticed in its audits. The processor began using Vontu, a Symantec Corp. application that scans a company's systems for improperly stored data. This assessment, which is not required under the PCI rules, found numerous pockets of sensitive information, Carr said, including card account details that employees had stored on their systems to help them do their jobs.
"That's been a real eye-opener," he said. "Anybody that has a data-loss prevention tool will be surprised in how many different places card numbers can wind up, especially in a corporate environment where you're doing a lot of servicing."
Though this data was not involved in the breach, Carr said that the improperly stored account numbers are the kind of vulnerability that a PCI audit would not find yet could be exploited by thieves.
Still, Carr also stressed that his complaints with the assessment process do not invalidate the positive effect the PCI standard has had in the industry. Providing guidelines, even if the guidelines have imperfections, is better than not having any security mandates. "PCI is important," he said. "It's needed by the industry."
Even Visa Inc., arguably one of the PCI standard's most outspoken champions, has acknowledged that the standard has limits. Visa emphasized that it is the responsibility of the companies that handle payment data to surpass those limits to keep their networks secure.
Eduardo Perez, Visa's head of global data security, said that "time and time again what we find is that breached entities often have deficiencies in the same areas," and Visa has highlighted those areas and made information available to merchants explaining how to address these shortcomings.
Organizations that repeatedly validate compliance can still have insecure networks, Perez acknowledged.
"There is a difference between validation and ongoing compliance," he said. "Something we're very focused on is making sure that industry players understand the difference, so they don't get undue comfort from having validated compliance at a point in time and not living up to the standard over time."
But Carr said the "point in time" mind-set does not go far enough to tackle the problems faced by companies that handle card data.
"I think it's a convenient, but inaccurate, statement to say that a company is certified to be compliant one day and suddenly does something wrong that they're not compliant the next day," he said. "I think the problem is deeper than that … one of the major learnings we've had — perhaps the most important learning we've had in all this — is that the value of the audit to be certified is almost counterproductive because it doesn't really catch any of the major issues."
