Headline FeedsTechNewsWorld Talkback
|
|
Re: Rethinking the Fortifications: Q&A With Heartland CIO Steven Elefant
Posted by: Richard Adhikari 2010-02-04 10:36:11
See Full Story
Following a breach of its computer systems a year ago, Heartland Payment System, one of the five largest payment card processors in the United States, came under considerable pressure to strengthen its IT security, and it's been embroiled in several lawsuits because of the breach. In January 2009, hundreds of thousands of business owners were stunned when Heartland announced its systems had been breached. Heartland's services include card processing, payroll services, check management, online payments and micropayments.
Nice Spin. Here are some real questions for HPY.
Posted by: MsAnonymous 2010-02-04 11:02:14 In reply to: Richard Adhikari
This article is nothing new. It’s PR spin and nothing more. That’s all we get from Heartland.
E3 encrypting card data with a tamper resistant peripheral and not decrypting until it’s at the processor is great for merchants, but this has nothing to do with Heartland’s situation. Heartland still decrypts it with a server talking to their HSM before passing back to the card brand networks. Heartland was the one hacked and they are still vulnerable. Even if every merchant were to upgrade their card readers to E3, Heartland is still vulnerable.
Heartland, please tell us:
1) The hackers got in once before and you thought you cleaned it. Turned out they were still in your network laying dormant for a while until the cleaning activity stopped and you went back to ignoring security. Then they got to your card data. Are you really sure you cleaned it out this time?
2) You still have not talked publicly about your lack of security that caused the breach to happen and go undetected. You did PR saying you’re all about sharing information with the industry, but have shared NOTHING that helps other avoid advanced persistent threats. HOW did they get into your payment processing systems and stay there undetected?
3) In your forensic audit, were you deemed PCI DSS compliant at the time of compromise? Your once a year validation does not count.
4) What you’re doing to fix YOUR security now that I’m sure it’s being taken seriously behind the scenes?
E3 encrypting card data with a tamper resistant peripheral and not decrypting until it’s at the processor is great for merchants, but this has nothing to do with Heartland’s situation. Heartland still decrypts it with a server talking to their HSM before passing back to the card brand networks. Heartland was the one hacked and they are still vulnerable. Even if every merchant were to upgrade their card readers to E3, Heartland is still vulnerable.
Heartland, please tell us:
1) The hackers got in once before and you thought you cleaned it. Turned out they were still in your network laying dormant for a while until the cleaning activity stopped and you went back to ignoring security. Then they got to your card data. Are you really sure you cleaned it out this time?
2) You still have not talked publicly about your lack of security that caused the breach to happen and go undetected. You did PR saying you’re all about sharing information with the industry, but have shared NOTHING that helps other avoid advanced persistent threats. HOW did they get into your payment processing systems and stay there undetected?
3) In your forensic audit, were you deemed PCI DSS compliant at the time of compromise? Your once a year validation does not count.
4) What you’re doing to fix YOUR security now that I’m sure it’s being taken seriously behind the scenes?
