Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
Data theft sparks another debate about standards
MADISON, Wis. (1/30/09)--Credit unions monitoring the Heartland Payments Systems data breach may wonder how it happened to such an extent that an estimated 100 million cards might be compromised. The breach has reopened the debate about security standards, and several experts are questioning whether the Payment Card Industry Data Security Standard (PCI DSS) is enough. The PCI standard is a set of security controls mandated by major credit card companies Visa and MasterCard for companies handling or processing credit and debit card information. The Heartland breach, like a Hannaford Bros. breach in 2008, involved data enroute to a payments system. Both companies were apparently compliant with PCI DSS. Hannaford had been deemed compliant by the credit card companies about three months before it announced its data breach. Heartland, based in Princeton, N. J., was certified by Trustwave, a PCI assessor, as PCI -compliant in April, according to Gartner analyst Avivah Litan (NetworkWorld Jan. 22). Because it is a payments processor, as opposed to a retailer or merchant, Heartland is expected to have stronger controls for preventing, detecting and responding to system breaches, said ComputerWorld Jan. 22). The breach apparently occurred when hackers planted a "sniffer" code for malware aimed at capturing information as data moved through Heartland's network and removing the data from the network in encrypted data streams. How could such a thing happen? Litan suggested to ComputerWorld that Heartland may not have routinely monitored its files' integrity for unauthorized content. Others say it may not have used all the security controls required by the PCI standard, such as analyzing its log data from its firewalls and intrusion prevention systems. Litan told NetworkWorld that PCI doesn't mandate encryption inside a private network because then all the processors would have to encrypt. But, she added, the complex interconnections among payment card processors, financial institutions and merchants would make point-to-point encryption unwieldy. End-to-end application level encryption, however, might be more feasible at the origin of the card data. Some retailers encrypt data in motion inside their store networks but then have to decrypt the information to send it to their processors. The Heartford breach "should make one thing clear: the standards for security around credit card numbers still aren't good enough," said Luther Martin, a solution architect with Voltage Security, writing in Help Net Security Jan. 29. The PCI standard "is a good first step, but it's not quite enough," he said. However, that doesn't mean that the standard has grown irrelevant, according to tech writer George Hulme in InformationWeek's Security Weblog (Jan. 27). "Being compliant to any mandate won't make one secure," Hulme wrote, adding that building a secure and sustainable infrastructure is important. Retailers, manufacturers and health care providers typically have the least mature security programs, he said. Still, the PCI standard has raised the security level, especially in the retail industry. But, Litan said, the payments processors are "definitely being targeted."


RSS





print
News Now LiveWire
.@CFPB has concerns Re:electronic paymnts networks,particularly its effects on consumers,said bureau director Cordray http://t.co/mqi9bHL6Fb
3 hours ago
#NewsNow CUNA Tech Council white paper looks at EMV http://t.co/2znk5N0Y4m
4 hours ago
.@CUNA 3 pm ET Twitter chat Tues about recent customer satisfaction results ranking #CUs much higher than banks. #CUServiceExcellence.
4 hours ago
AACUL honors @DianaRDykstra with Eagle Award; Wendell Lyon re-elected chair http://t.co/FacmfLiItH
5 hours ago
.@NCUFoundation's Hyland, #creditunion leaders grace small screen for Va. TV program #CUNANewsNow http://t.co/opmMXzD91e
5 hours ago