Anti-Hacker Rule Falls Short of Security Guarantee, Ex-Heartland CTO Says

Bank technology

Breach Revives Doubts About Card Industry Security Standard

Global Payments was considered PCI-compliant until hackers stole 1.5 million account numbers from it. So were two other breached processors. Banks may have to assume no third party is secure.

By Daniel Wolfe

April 2
Bank technology

Making PCI Grade, Missing Big Picture

Sometimes what you do know can hurt you.

May 15

Large data breaches at companies like Global Payments (GPN) are just the tip of the iceberg of the financial industry's data security woes, says Steve Elefant, who was chief technology officer at Heartland Payment Systems (HPY) during its massive 2008 data breach.

After Global Payments disclosed its breach last month, a familiar question arose: How could this happen to a company that was considered compliant with the Payment Card Industry data security standard?

"PCI compliance has done a lot of good in getting people to think more about security, but the fallacy of PCI is that it will make you more secure against breaches," says Elefant, now a consultant with Strawhecker Group. "PCI compliance is one thing, but you have to be vigilant on many other levels to prevent breaches."

The standard, which is enforced by the card networks, sets certain data security requirements for companies that handle payment card data. The processors were each determined to be noncompliant with the standard after their breaches.

As large as Global Payments' breach was, possibly exposing card account data of some 1.5 million consumers, it was "only a fraction" of Heartland's breach, which involved 100 million exposed accounts, Elefant notes.

Among the lessons Elefant learned during his term as the top information-technology exec at Heartland from November 2008 to September 2011 is that there is no sure bulwark against hackers, but widespread advanced data-encryption and rigorous PCI compliance goes a long way toward preventing break-ins.

"What we are seeing is the reality that there is no such thing as safe software, and there never will be," Elefant says.

Encryption is "very effective … if it is used properly," but it still "is not used widely enough" by payments industry players, Elefant says.

While little is known about how Global Payments' breach occurred, Elefant says it is "disappointing" that despite four years of industry experience following Heartland's breach another major processor experienced such widespread data-exposure.

Hackers are likely to move to smaller targets, which have fewer resources to devote to defending themselves, he says.

"Hackers are still succeeding, and small processors need to be on alert more than ever before," Elefant says.

This article is adapted from a version that appeared on PaymentsSource.

Kate Fitzgerald

Senior Editor, Payments

	About Kate
twitter	plasticpayments
mailto	kate.fitzgerald@arizent.com
linkedin	https://www.linkedin.com/in/kate-fitzgerald-0148723