-
Global Payments was considered PCI-compliant until hackers stole 1.5 million account numbers from it. So were two other breached processors. Banks may have to assume no third party is secure.
April 2 -
Sometimes what you do know can hurt you.
May 15
Large data breaches at companies like Global Payments (GPN) are just the tip of the iceberg of the financial industry's data security woes, says Steve Elefant, who was chief technology officer at Heartland Payment Systems (HPY) during its
After Global Payments disclosed its breach last month,
"PCI compliance has done a lot of good in getting people to think more about security, but the fallacy of PCI is that it will make you more secure against breaches," says Elefant, now a consultant with Strawhecker Group. "PCI compliance is one thing, but you have to be vigilant on many other levels to prevent breaches."
The standard, which is enforced by the card networks, sets certain data security requirements for companies that handle payment card data. The processors were each determined to be noncompliant with the standard after their breaches.
As large as
Among the lessons Elefant learned during his term as the top information-technology exec at Heartland from November 2008 to September 2011 is that there is no sure bulwark against hackers, but widespread advanced data-encryption and rigorous PCI compliance goes a long way toward preventing break-ins.
"What we are seeing is the reality that there is no such thing as safe software, and there never will be," Elefant says.
Encryption is "very effective … if it is used properly," but it still "is not used widely enough" by payments industry players, Elefant says.
While little is known about how Global Payments' breach occurred, Elefant says it is "disappointing" that despite four years of industry experience following Heartland's breach another major processor experienced such widespread data-exposure.
Hackers are likely to move to smaller targets, which have fewer resources to devote to defending themselves, he says.
"Hackers are still succeeding, and small processors need to be on alert more than ever before," Elefant says.
This article is adapted from a version that