Heartland Breach: State of Payments Security 1 Year Later
Security Experts Weigh in on Breach Impact, Needed Improvements It has now been one year since the Heartland Payments System breach was made public. What lessons have been learned and what more needs to be done to improve the security of the payment industry?We asked four information security experts for their take on Heartland: One year later.
Impact of the Breach
Last Jan. 20, on the same morning the new U.S. President was being sworn into office in Washington, D.C., a press announcement was released by Heartland Payments System, a Princeton, NJ-based payments processor, announcing it had suffered a data breach of unknown size. It turned out to be the largest breach on record of credit and debit card data, with an estimated 130 million cards being stolen out of the payment processor's internal network.
An investigation by law enforcement traced the hack back to Albert Gonzalez, previously named as the hacker of TJX and other retail companies. The number of financial institutions affected because of the breach still isn't clear, but is estimated to be in the thousands. A class action suit brought against Heartland on behalf of the affected institutions waits on a judge's docket in Houston, TX.
The one thing that Heartland's breach reinforced was "It could happen here," says Matt Davis, Audit and Compliance principal practice lead at Secure State, a Cleveland, OH-based risk assessment firm. Overall, Davis sees the Heartland breach on a negative side, "[Heartland executives] want to say it happened because of what others didn't do, when in fact it was really caused by what they failed to do."
PCI Improvements
Although Davis credits Heartland's CEO Robert Carr for his tireless, post-breach promotion of new secure-payments solutions, he believes it was misleading to shift discussion from the breach itself to Payment Card Industry Data Security Standard (PCI DSS, or just PCI) compliance and assessments. "It was more of a red herring and would not have fixed their problem as a processor," he says. "I think it really helped show that an adversarial approach to auditors and bare minimum approach to compliance won't get you secure. That is the best lesson to be learned here."
Improvement throughout the payments process is ongoing, according to Branden Williams, Director, Security Consulting, at RSA, a security vendor. "Since the Heartland breach, we've seen significant progress in in-flight data protection techniques offered by acquirers and processors that help merchants take significant portions of their networks out of scope."
These enhancements are not something that would have necessarily prevented that particular incident, he adds, but could definitely go a long way toward preventing a breach at a merchant.
"The PCI Quality Assurance program is also well underway, and new Qualified Security Assessors (QSA's) have a much more stringent process they will be subject to before being given the designation from the [PCI] council," Williams adds.
What more needs to be done? That is a hard question to answer, Williams says. "Only because the answer to this question has been the same ever since companies have had to do something to protect data they store." If companies subject to PCI took a serious look at implementing standards-based frameworks throughout their operations, they would be much farther along to complying with any standard that comes to light. One example Williams made was ISO27002. "You are hard pressed to find a requirement inside PCI DSS that is not in some way covered by ISO27002," he says.
The road to get to that level of security is fraught with potholes, Williams says. "[But] potholes simply come down to money and executive commitment," he says. Can a CEO or CIO of a public company look at his shareholders and say, 'We're going to take reduced profits or even a loss for the next two years while we complete a massive project to overhaul how our company secures its data' without the fear of being shown the door?'
Card Companies: Weak Response?
Davis is quick to say there wasn't a strong enough reaction to Heartland by the credit card brands. "What did not happen here, and hasn't happened in other breaches, is a strong enough reaction by the card brands," he says. "I don't think an organization will really 'get' the impact of a breach until it results in the inability to process cards for huge breaches like Heartland or TJX."
Davis acknowledges that would mean effectively bankrupting a business. "But it may take that level to make the point. I think another good step would be [for a breached entity] to provide automatic credit monitoring or protection for the consumers involved in the breach, besides just a card reissuance. It's the right thing to do and increases the cost associated with a breach - which unfortunately is needed to incent organizations."
Perhaps, Davis muses, the industry needs a new regulation that makes officers of a breached organization personally liable. "Maybe then they might try do secure the data instead of just getting compliant," he concludes.
What Next?
While the larger national retailers, acquiring and issuing banks and payment processors may have made progress toward improved PCI compliance, little progress has been made to improve security at the smaller merchants, says Anton Chuvakin, a noted PCI security expert. "Smaller merchants largely remain in the land of security ignorance. PCI DSS is trying to drag them out of there, kicking and screaming, but a majority is still there."
The fact is, Chuvakin says, the payment infrastructure is still insecure. "This one is a no-brainer: I have not seen any progress toward developing a more secure payment infrastructure," he says. "Admittedly, it might be ongoing deep inside the card brands, but nothing is public yet."
The industry's tokenization and end-to-end encryption initiatives are both positive developments, but standardization is just as important to achieving a secure state as putting in the right technical fixes, says Tom Wills, Senior Analyst, Security & Fraud at Javelin Strategy and Research.
In other words, Wills notes, these solutions need to be integrated into PCI and implemented industry wide before they have a real effect on fraud. "That's because if they only go in piecemeal at certain processors or merchants, the crooks will just avoid those particular properties and attack the ones that don't those these controls in place," he says.
How close is the industry to finding answers to the vexing problems of securing the payment networks of merchants, banks and payment processors? "History has shown us that 'speedy standardization' is an oxymoron," Wills says. "So I expect to see more posturing and bickering among the various parties before anything is implemented industry-wide that takes a material dent out of the data breach problem. If history is anything to go by, we're at least one or two years away from that."