See Full Story
Following a breach of its computer systems a year ago, Heartland Payment System, one of the five largest payment card processors in the United States, came under considerable pressure to strengthen its IT security, and it's been embroiled in several lawsuits because of the breach. In January 2009, hundreds of thousands of business owners were stunned when Heartland announced its systems had been breached. Heartland's services include card processing, payroll services, check management, online payments and micropayments.
This article is nothing new. Itís PR spin and nothing more. Thatís all we get from Heartland.
E3 encrypting card data with a tamper resistant peripheral and not decrypting until itís at the processor is great for merchants, but this has nothing to do with Heartlandís situation. Heartland still decrypts it with a server talking to their HSM before passing back to the card brand networks. Heartland was the one hacked and they are still vulnerable. Even if every merchant were to upgrade their card readers to E3, Heartland is still vulnerable.
Heartland, please tell us:
1) The hackers got in once before and you thought you cleaned it. Turned out they were still in your network laying dormant for a while until the cleaning activity stopped and you went back to ignoring security. Then they got to your card data. Are you really sure you cleaned it out this time?
2) You still have not talked publicly about your lack of security that caused the breach to happen and go undetected. You did PR saying youíre all about sharing information with the industry, but have shared NOTHING that helps other avoid advanced persistent threats. HOW did they get into your payment processing systems and stay there undetected?
3) In your forensic audit, were you deemed PCI DSS compliant at the time of compromise? Your once a year validation does not count.
4) What youíre doing to fix YOUR security now that Iím sure itís being taken seriously behind the scenes?