On January 20 of this year, Heartland Payment Systems reported that it suffered a data breach in 2008 — identified not by the company but by Visa and MasterCard's monitoring programs. This was very significant because Heartland processes more than 100 million card transactions per month for about 250,000 customers.
Unnamed individuals had apparently placed malicious software on their servers with the intent to steal credit card information. Heartland asserted no merchant data, cardholders' Social Security numbers, or unencrypted personal identification numbers, addresses, or telephone numbers were compromised. It is also important for all of us because, according to their CEO, Heartland had received a passing grade on their Payment Card Industry (PCI) compliance and was relying on that external audit.
Board members, executives, IT security professionals, risk officers, compliance officers, and internal auditors should understand what happened, and there are valuable lessons to be learned.
Computerworld quoted Avivah Litan, an analyst at Gartner Inc.:
"Given that Heartland processes more than 100 million card transactions per month, it is very possible that the number of compromised credit and debit cards is at least that much, if not more. 'It does look like the biggest ever,' Litan said. ... 'More radical security moves' need to be taken by [the] payments industry as a whole to address the problem, she added. Such incidents show that the security requirements of the Payment Card Industry Data Security Standard being pushed by the major card companies [are] clearly not enough."
In August, Heartland's CEO, Robert Carr, responded to a Q&A from CSO Online. He explained how, in his opinion, PCI compliance auditors failed the company. He said:
"The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that.
"In the post-Enron environment, the auditors have contracts with clients that essentially absolve them of gross negligence. The false reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions."
A number of IT governance and security experts responded to the blaming of PCI auditors. Rich Mogull responded in an open letter, posted in his Securosis.com blog. Here are some excerpts:
"I completely agree that the current system of standards and audits contained in the Payment Card Industry Data Security Standard is flawed and unreliable as a breach-prevention mechanism. That said, your attempts to place the blame of your security breach on your QSAs, your external auditors, are disingenuous at best.
"As the CEO of a large public company you clearly understand the role of audits, assessments, and auditors. You are also fundamentally familiar with the concepts of enterprise risk management and your fiduciary responsibility as an officer of your company. Your attempts to shift responsibility to your QSA are the accounting equivalent of blaming your external auditor for failing to prevent the hijacking of an armored car.
"The role of your QSA is to assure your compliance with the standard, not secure your organization from attack. Their role isn't even to assess your security defenses overall, but to make sure you meet the minimum standards of PCI."
I don't have any insider or special knowledge of the Heartland incident, but there are a number of important lessons that can be made learned by reflecting on the assertions by Carr and Mogull:
1. Boards and executives should understand what work is being done before placing reliance on it. Assurance providers should ensure their customers understand what assurance they are providing — and what they do not provide.
The CEO asserts he was placing reliance on the PCI compliance audit. But as Mogull says, "The role of your QSA is to assure your compliance with the standard, not secure your organization from attack. Their role isn't even to assess your security defenses overall, but to make sure you meet the minimum standards of PCI."
Management is responsible for its systems of internal control and security. It can employ the services of others, whether internal auditing or external assurance providers, but it should understand the extent and limits of the assurance provided. Carr seems to have 'assumed,' and we all know what assume means.
2. Being compliant with a standard does not mean you are secure.
The Heartland breach is an excellent example of how you can be compliant with a standard, even one intended to reflect best practices in preventing a breach, and still suffer one. Management, security, risk, audit, and compliance professionals should look beyond the standard, whether an external one like PCI or an internal standard, and determine whether it is sufficient to manage the related risks to the organization. Complying with (or auditing to) a standard is not the same as managing (or auditing) the risk and its related controls.
3. Following the rules does not necessarily mean you meet the principles behind them.
The bane of those of us in the United States is that our accounting standards are rules-based instead of principles-based. I was at an audit committee meeting where the external auditors were challenged by the directors and management on why they had insisted on a large write-down of tax assets. They defended their position as being required by the rules of Generally Accepted Accounting Principles. I asked whether the resulting financial statements reflected a "true and fair view" of the company's results and financial position. They had to admit they did not, but the rules made them do it.
Outside the United States, most of the world has principles-based standards. While there are murmurs that there is so much room for judgment that the standards are too loose, I still prefer and advocate principles-based rather than rules-based standards.
Rather than looking at compliance with rules and standards, let's step back and ask whether the principles behind those rules and standards have been achieved. It's quite possible, as was asserted for the PCI standards, that the standards are not adequate.
4. Using a list of best security practices, a standard audit program, or a checklist of required controls may mean you are missing the point.
The lesson is clear from Heartland that following what was considered best practices, at a prior point, for other companies, may not be best practice for your organization. Understand the risks to the organization's strategies and objectives, then implement the controls necessary to manage those risks within organizational tolerances.
I welcome your comments.