My Fast Cash Instant Approval
Credit Cards
Travel Reward
Credit Cards
Debit Cards
Bad Credit
Credit Card
Credit Card
Credit Cards

February 20,2009

  • Is PCI Compliance Defunct Already?, Pt.4
      What doesn't it do?


    As we can see from the Heartland breach and also learned from the Hannaford breach, simply meeting all the requirements of a properly secured firewall, does not prevent further credit card security problems on a network. Heartland had just recently been certified for full PCI compliance. A well-established and respected Qualified Security Assessor (QSA) had fully tested and assessed the firewalls at Heartland to meet all the standards. The credit card security problems found at Heartland were not related to weaknesses in the firewall. A more sophisticated and, as yet undisclosed, means was used to ‘crack the system' and the firewalls were circumvented. The same was true with the Hannaford credit card security breach. Both were PCI certified.

    Moral of the story? "PCI is not total security." Perhaps, the Heartland breach could have and should have been detected long before it was but PCI compliance does not ensure the most extreme level of credit card security. All PCI compliance does is ensure that the basics are in place. They offer fundamental base-protection. Once inside of Heartland's network, thieves found that one ‘crack' where the credit card encryption chain had to interface with an outside entity. Of course we deal with that concept every day in our messages but, in this case, there is a ‘parsing' going on where bits and pieces go to different places in a stream (kind of like a conveyor belt where no two pieces are alike). In this way, "malicious software had compromised data crossing Heartland's network," as Heartland spokesman, Jason Maloni, puts it.

    With every new generation of software, comes a new generation of thieves. Just like when our nation's most notorious note counterfeiter was finally caught. He was not caught for greed of money but, for the new challenge he couldn't resist. He had to prove there was no dollar bill that he couldn't counterfeit. And he did. Too bad someone was watching him. No nation-wide (or world-wide) credit card security system can interface every diverse entity needed with the incredible throughput required and still provide a bulletproof system that will last forever. Eventually, thieves will come.

    So, what do we do? Should Heartland be doing anything in the aftermath? Of course, and they already have. They have already taken a number of steps to better secure their credit card security systems. Also, they have implemented next-generation software to flag future network anomalies in real-time. This innovation will enable law enforcement to quickly arrest these problems and, perhaps, the diabolical scums that cause them as well.

    Back to Articles Main Page