One Lesson from the heartland that we should all learn from and ‘get’ by now.

1954532857_1d2a32e59f
Photo by davethelimey

Ellen Richey, Chief Enterprise Risk Officer for Visa, Inc said the following at the Visa Global Security Summit

"As we’ve all read, the company had validated PCI compliance. But it was the lack of ongoing vigilance in maintaining compliance that left the company vulnerable to attack. Based on our findings following the compromise, Visa has taken the necessary step of removing Heartland from its online list of PCI DSS compliant service providers."

I remember someone asking me when news of this breach first hit the news –  "But weren’t they PCI compliant ?" "How could they have been breached, weren’t they secure" ? 

I’ve discussed this here before here (PCI Compliant Control Breakdown) and here (Compliance != Security – the Titanic illustration).

I really think the the Heartland Breach is the linchpin event to people of these three important concepts:

  1. PCI is a baseline of minimum controls that need to be implemented to generally reasonably protect data across the broad spectrum.
  2. Security goes "above and beyond" the minimum required for compliance and should use a risk based approach specific to your business and operating environment.
  3. Maintaining compliance must be a ongoing process, it is not a once a year thing.

 

Case in Point: – a sales professional that I work with, attended the Prepaid Expo USA recently and shared this from his notes on one of the sessions on Prepaid Card Processing:

PCI is NOT enough. It is an ongoing process and we are all playing the "catch up game" much like the anti-virus world.

1 Comments

  1. I just found your blog. Great post. It’s true that PCI-compliance is just step 1. I’m sure Heartland has a robust security system and it could happen to anyone, but the unfortunate breach can remind us all to tighten our belts – go above and beyond.

Leave a Comment.