Case Study: Heartland Payment Systems

1143 Words5 Pages

In January 2009, Heartland Payment Systems announced that it had encountered a breach in its security system the previous year. The breach had compromised data of more than 130 million credit and debit cards transactions. It was learned that transaction data was being transmitted in an unencrypted form within its internal processing platform. The company was certified PCI DSS (Payment Card Industry Data Security Standard) compliant and had implemented all the required controls. However, compliance with the PCI DSS standard did not stop the breach.
Does compliance ensure security?
Compliance and security are two different entities and while being compliant is a byproduct of being secure, the converse is not true. Compliance is the minimum requirement …show more content…

However, complying with these guidelines is not enough to keep enterprises safe. Organizations must go beyond these standards to create a stronger security posture, as the purpose of the standards is not an in-depth strategy to address all enterprises risks. Due to the need for achieving regulatory compliance, organizations focus on the means rather than the end. Actions are taken to meet the regulatory obligation rather than enhancing the security of the organization. Most regulations are aimed at the industry as a whole and hence it is unlikely that compliance alone will address all the vulnerabilities an organization has to deal with, as vulnerabilities change and vary by the organization. This can result in a situation where one can be compliant and still be vulnerable (Soppitt, …show more content…

Out of these, the end-to-end encryption is the best option as it secures both the data at rest and transit. Tokenization does not store the customer’s card data at all and only stores a reference token generated by the third-party service providers. This puts the onus on protecting the card data on the third-party vendors rather than the merchants, but leakage is still possible. The third option of placing a chip on the card or key fob to will enable encrypted storage, exchange, and transmittal of card data. It is a good solution but an expensive one as the entire infrastructure has to be upgraded. Other options include using PIN (personal identification numbers) with the card or using magnetizing strips to create a unique fingerprinting of the cards to enable processing the transactions (Cheney, 2010).
Access controls
Current PCI DSS standards check for two-factor authentication for accessing networks remotely. Enabling multi-factor authentication (MFA) for all administrator accesses to networks and card data at each individual system component is recommended. MFA should be extended for remote network access (Thurman, 2016).
Network admission

More about Case Study: Heartland Payment Systems