From: InfoSec News (alertsinfosecnews.org)
Date: Wed Oct 07 2009 - 04:33:10 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.bankinfosecurity.com/articles.php?art_id=1834

Linda McGlasson
Managing Editor
Bank Info Security
October 5, 2009

Months before announcing the Heartland Payment Systems (HPY) data
breach, company CEO Robert Carr told industry analysts that the Payment
Card Industry Data Security Standard (PCI DSS) was an insufficient
protective measure.

This is the contention of a new master complaint filed in the class
action suit against Heartland, which in January announced a data breach
that is now estimated to be the largest known hack, involving 130
million credit and debt card accounts.

In a November 2008 earnings call, according to the complaint, Carr told
analysts, "[We] also recognize the need to move beyond the lowest common
denominator of data security, currently the PCI DSS standards. We
believe it is imperative to move to a higher standard for processing
secure transactions, one which we have the ability to implement without
waiting for the payments infrastructure to change."

Carr's comment confirms that the PCI standards are minimal, and that the
actual industry standard for security is much higher, the complaint
alleges. "Heartland executives were well aware before the Data Breach
occurred that the bare minimum PCI-DSS standards were insufficient to
protect it from an attack by sophisticated hackers," the document says.

[...]

________________________________________
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News
http://www.infosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]