Heartland Payment Systems: Lessons Learned from a Data Breach (Published as a discussion paper, by the Federal Reserve Bank of Philadelphia). In this discussion paper, Senior Industry Specialist Julia Cheney summarizes a workshop hosted by the Payment Cards Center on August 13, 2009. The workshop examined the changing nature of data security in consumer electronic payments. The center invited the chairman and CEO of Heartland Payment Systems (HPS), Robert Carr, to lead this discussion and to share his experiences stemming from the data breach at his company in late 2008 and, as important, to discuss lessons learned as a result of this event.
Mr. Carr, CEO of Heartland Payment Systems (who suffered a data breach over many months and exposed nearly 100 million accounts in 2008 is also a highly successful processor), highlight the need to disclose the methods and techniques employed during successful attacks (internally to the QSA / PCI / Auditors and externally to other financial institutions). While my preference for disclosure may be broader to include the merchants and other parties, as this information can be communicated without exposing competitive information. These attack details can be used to pragmatically improve by the PCI DSS and in-operation business environments. The lack of such intelligence only makes an attack cheaper for the attackers, as they can reuse code and techniques.
Mr. Carr makes it a point to highlight that 7% of his information technology staff are focused on Information Security. An interesting question / metric would be – is this sufficient? While I am certain that programmers, technical business analysts, web designers, and all levels of operational IT teams have a job description stating that they practice good security practices – how can this be managed and improved via metrics? [Not a judgment, but an open question for thought and reflection]
Mr. Carr made several instructive observations:
- Do not underestimate the insider threat – I agree with this, but beyond his focus on internal employees inadvertently creating risks. Insider threats can be machines that they themselves have been compromised and are untrusted. These beachhead systems in less restrictive environments are able to easily capture data in transit, and seek out the data at rest. Therefore all systems connected within an “open” network must be considered untrusted, and has been the running definition under PCI DSS.
- Ensure the appropriate audit scope – ABSOLUTELY, this is a must and falls on both management and the auditors on hand. The audits are a demonstration of management’s control environments. So, it is in the interest of both parties to be open and honest with each other. Cooperation and not opposition is the only meaningful way to evaluate and improve business operations.
- In House Security – I agree that top-level oversight is needed.
Mr. Carr goes on to saying
“…security protocols must be universally applied and enforced among all employees, at all levels of hierarchy and across all departments. Ensuring that auditors have a wide scope to review systems for security vulnerabilities is also important to identify situations, such as happened at Heartland, in which fraudsters were able to penetrate the processing systems by first compromising another, separate network, in this case the corporate network. Finally, security expertise and strategic planning are critical skills that should be emphasized at the highest levels of the corporate structure.” Page 8
The remainder of the paper provides a nice overview of 3 payment card solutions for data in motion security – End to End Encryption, Tokenization, and Chip Technology. I won’t elaborate here, but certainly worthy reading for a summary explanation of each.
I agree with Heartland’s approach of proactiveness, and hope it will lead to similar efforts that raise the entire security baseline within the payment card security space.
It is important to highlight though the need for full security – security only in one section of a network is reckless if there is not physical separation both in staff and systems. Good security and the resulting compliance is achievable, and as Mr. Carr highlights it can be good for business.
Other thoughts and takeaways?
Here is a link to the group Mr. Carr referred to in the article.
Also, a big thank you to the Federal Reserve and Heartland for putting this article online – link to Federal Reserve and direct link to PDF.