ThomasCantrell.com Tech Blog

From SC Magazine:

Visa announced on Friday that it has removed Heartland Payment Systems and RBS WorldPay — two payment processors that have announced massive data breaches in recent months — from its list of service providers compliant with payment industry guidelines.

“That could be a pretty significant event because retailers are obligated to use PCI compliant service providers,” Avivah Litan, a distinguished analyst at Gartner, told SCMagazineUS.com on Friday. “It’s almost like saying all their customers have to leave them.”

And then:

Rich Mogull, founder of IT security consultancy Securosis, said in an email Friday to SCMagazineUS.com that the PCI assessment process needs revamping.

“What we see is that although no PCI-compliant company seems to ever get breached, many are certified and then found non-compliant after the breach,” he said. “Thus, it’s clear the certification process is flawed. While I don’t expect certification to impart immunity from attack, decertifying all these companies seems disingenuous.”

This raises an interesting point: can a company be both compliant and non-compliant at the same time. I think this can be. It depends on how you measure.

I have no background on the PCI standard, but I suspect there may be different places where measurements can differ from one audit to another. The external auditor is likely paid by the company, and therefore has an interest in proving that the company is compliant. The VISA auditors after the security breach have the exact opposite incentive. Their goal is to prove the vendors non-compliant in order to prove the validity of the standard. For this reason, I almost guarantee that most hacked vendors will prove non-compliant PCI after hacked.

However, I don’t want to move the spotlight from Heartland Payment System who allowed themselves to still be breached. It’s quite possible that compliance didn’t last past the PCI audit. According to SC Magazine, hackers infiltrated the network soon after Heartland’s April 2008 PCI audit. It begs the question: how immune are audits like PCI to snapshot compliance? Can a company become compliant only when audits are performed? This is what Visa’s top risk officer, Ellen Richey, says about Heartland as quoted in SC Magazine:

“I’m sure everyone in this room has read the headlines questioning how an event of this magnitude could still happen today,” she said, according to a transcript of her speech. “The fact is, it never should have…As we’ve all read, [Heartland] had validated PCI compliance. But it was the lack of ongoing vigilance in maintaining compliance that left the company vulnerable to attack.” (Italics mine)

Finally, there is some argument that the PCI standard itself created this problem. There seems to be some noise on forums that assert that the PCI standard does not require end-to-end encryption. I’m not sure if this is true, but if it is, this means the implicit security standard at Heartland could have been “don’t worry, be crappy.” If this is the case, then may have just followed the PCI standard enough to get certified, but not enough to actually mitigate risk.

Last week I got a notice that my debit card was getting canceled due to a security breach at Heartland Payment Systems. I did a little googling, and came across their official site for the breach. While I am never sympathetic to those who are careless with my data, I was really surprised and a bit discusted at the details revealed by the press releases on the site.

From a press release on January 20th, 2009:

After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.

Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

And from a press release on January 27th, 2009:

“Heartland has been working on the development of end-to-end encryption, but in light of our recent data breach and the impact cyber fraud has had on the public and processors nationwide, we are ramping up our efforts,” Carr continued. “To do this, we are forming a dedicated internal department and have named Steven M. Elefant, a well-known expert in point-of-sale payments, executive director.”

These press releases make me sad because they speak of security problems and solutions that were developed ten to twenty years ago. “End-to-end encryption” is implemented in a plethora of protocols, IPsec and TLS to name a few. As for the “program designed to flag network anomalies in real-time,” this is a little newer and has been incapsulated in various different IDS products this last decade. In other words, the press release sings out to me “oops. We didn’t realize we were vulnerable, now we should be doing what others have told us we should be doing for a long time.”

I pick on Heartland Payment Systems mostly because they are a credit card processing system. They are not one single store, like TJ Maxx’s data breach of 2007. This is a provider who’s very sales story is: “The Highest Standards” and “The Most Trusted Transactions.” These are posted prodominately on their main page. Any one who works in the credit card or banking transaction industries must know by now that since their transactions are virtual money, security must forefront in their minds. They are the exact target of oversees hackers, as they are the gatekeepers to the money.

My conclusion is that from the technologies mentioned in their press releases they should have known better. After all, they are high-risk company for computer fraud. This is why Heartland Payment Systems is in my dog house.

As I mentioned, I am studying for the CISSP. It’s been an enjoyable journey thus far of security topics.

One thing I’m noticing in my study is that there are two ways to work through this certification. The first is self-study. One studies through a text. My book is approximately 1200 pages. The second way is a training class. These classes cost about $4,000-$5,000 and take a week of time. However, after the intense “boot camp” you will be ready to take the test and get your certificate.

I started off thinking that I would self-study all my way to the CISSP. After all, I’m about 250 pages through my first read of the 1200 pages. However, even if I study well, I am beginning to see the value of taking the training class as well. The idea is that I would study all the material myself and use the training class as review. If my employeer will pay, then this is a great idea. If my employeer doesn’t pay, then I fear training classes be too expensive.

Certainly $4,000-$5,000 is expensive, but when you are like me thinking of 3-6 months of study, perhaps the course is worth it. Again, the goal is to at the end of the day not just get the certification, but to have a better picture of the security landscape.