call us at 1.866.467.4733 or visit our website at microshred.com
RSS icon Home icon
  • Heartland Breach Raises Significant Questions on PCI Compliance

    Posted on April 2nd, 2009 admin No comments

    credit-compromised-do-criminals-have-your-personal-identity1The massive data breach announced in January by Heartland Payment Systems continues to raise significant questions regarding the state of security in the payment industry. As many as 100 million credit card and debit cards have been compromised, impacting unknown millions of consumers, 175,000 merchants and 600 institutions. One of the most pressing questions of the day is the relevance of the Payment Card Industry Data Security Standard (PCI), which is an industry-driven standard meant to ensure the safe handling of sensitive information.Leading up to the breach, Heartland listed on its own Website that it was certified as being PCI-compliant last April. “Obviously, Heartland was not in compliance at the time of the breach,” explained Steven Bearak, CEO of Identity Force. “This lapse in compliance is not just troubling; it causes many to wonder if the PCI standard is in fact a toothless tiger.”

    Heartland is still in operation. Visa, while taking Heartland off of its “compliant” list, continues to accept transactions processed by the company. And a top analyst at Gartner Research just this week is urging companies that do business with Heartland Payment Systems Inc. and RBS WorldPay Inc. (another breached processor) not to switch to other payment processors.

    Heartland has even gone so far as to threaten to sue companies that try to take its business away by raising questions about the effectiveness of its security systems.

    What is clear is that millions of people and merchants have been put at risk, and little is being done voluntarily to mitigate the damage. What good is PCI compliance if there are no penalties involved for the major institutions that claim compliance and are not?

    Security is only as strong as the weakest link. PCI compliance certification is not a guarantee against breaches. Organizations should prepare accordingly.

    (Source: idtheftdailynews.com)