Industry Reaction to Heartland Data Breach

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Personal data needs to be given the utmost priority in terms of protection. Financial institutions have a tremendous opportunity to lead the charge for safer data, and this would be a wise move, since the next step could be mandated data protection legislation, as some states are proposing.

The lifeblood of a financial institution (and any company for that matter) is its data. The majority of companies take the utmost care in keeping hackers and others out of their network. However, there is surprising lack of protection inside the corporate network. What Heartland ultimately shows is the need for a holistic approach to security. Don't assume that data is safe inside the firewall. As evidenced by Countrywide and a host of others, insiders are an equally grave threat.

Amir Orad, Chief Marketing Officer, EVP, Actimize:

The bad guys have again demonstrated a massive investment and long -term thinking and planning spent in order to make this breach possible. As in the TJX case, this should raise a "blinking red" flag, this level of preparations and investment by the bad guys dramatically raises the bar on the FIs needs to deal with and defend against in this market.

In security, people always say that typical defenses are very effective against most attacks. But if someone attacks you specifically and develops custom technology designed to attack you specifically, it will be very difficult to defend against (true with viruses, Trojans, etc). Well, seems like the bad guys are doing just that.

Traditional approaches to data compromises and stolen cards have been A) to cancel and replace the card or B) to use watch lists or card lists that make fraud detection software more sensitive to transactions with cards that are compromised. This was an effective method when the number of compromised cards were in the thousands or even tens of thousands. When a large number of the US population's data is compromised, these methods are becoming much less effective due to A) replacement cost or B) false positives and much more modern analytics surveillance technology is required to deal with this massive problem.

Aaron Bills, Co-founder and COO, 3Delta Systems:

The Heartland Payment Systems' malware breach brings two truisms to mind: Good security is difficult. Good security in complex systems that allow user access is especially difficult.

The payment industry has taken exceptional strides to self-regulate and foster better data security in the U.S. through initiatives such as the Payment Card Industry Data Security Standards (PCI DSS). These standards encompass 12 core requirements covering security management, policies, procedures, network architecture, software design to help merchants and organizations that process, store or transmit payment card data establish strong technical and operational requirements for safeguarding cardholder data.

Some critics argue that these standards are worthless because some compliant companies such as Heartland Payment Systems have suffered a data breach. I say rubbish.

Becoming PCI-certified doesn't magically shield a business from losing data or provide impenetrable security against hackers or malware. It does mean, however, that a company's processes and technologies meet the most stringent criteria we have as an industry for processing or storing confidential payment data.

The PCI standards are not a panacea for solving all security ills, nor are they static. Like information technologies themselves, they are a continual work in progress. And they are very good security industry standards in much the same way that the International Organization for Standardization (ISO) 9000 is a very good worldwide benchmark for quality management in manufacturing and service organizations.

Let's say you buy a car from an ISO 9000-certified manufacturer that has adopted a quality system designed to minimize defects and focus on continuous improvement. This ISO 9000 standard conveys certain controls and processes are in place at that manufacturer to produce a quality car. It doesn't guarantee, however, that your new car will be completely free of defects.

Like quality manufacturing improvement, IT security improvement requires daily vigilance and work. You don't "get PCI compliant" automatically. You maintain PCI compliance. It's a constant state of being, not a yearly audit event.

Each of us in this industry can learn from the very difficult lessons of companies whose data has been breached so that we can improve our own systems and countermeasures. We'll all learn from the Heartland breach, others that have preceded it and still others that will certainly follow.