According to a computerworld article and a statement by Heartland, competitors of the now PCI-delisted payment processor are using the breach as means to lure their customers. Competitors are apparently suggesting that doing business with Heartland will result in fines from Visa. That part is not true. Visa has publicly stated that no fines will be levied against Heartland’s customers. However, would you continue to trust Heartland, its auditor and the PCI compliance standard to do their jobs in protecting your information?
Without casting doubt on Heartland, this is a case where past performances may be sings of future returns. Heartland continues to stay on message that they will be re-certified by May. It’s also unclear if Trustwave, their prior PCI auditor, will be the ones re-certifying them. The biggest question of all: when will they come entirely clean with their incident findings and how can they regain our trust?
In any economy it’s a natural force of doing business to use your competitor’s weaknesses against them. Despite assurances from Visa and Gartner, you can bet that Heartland’s customers are thinking seriously about switching processors. If I had any say into what goes on at Heartland, I’d suggest a few moves to help regain customer confidence:
- Use a new PCI auditor this time around. Why use just one, how about two entirely different and independent audit firms. Not to say that TrustWave didn’t do their job, but take all doubts off the table immediately.
- Invest in an automated compliance and audit system. Being compliant once a year is not compliant at all. This is particularly the case if you consider the mass volumes of transactions at Heartland – 100 million a month. Compliance is much like a new car. Once you drive it off the lot, it depreciates at a rapid rate. For most computer assets, once they go into production, they will naturally migrate out of compliance.
- Provide an honest and complete incident report to the public. Let the public and the customers decide how the incident was handled and who is best to handle the next breach. Breaches happen all the time. What separates the field is 1) how well the company strategically positioned their assets against a breach and 2) how well the breach was handled and 3) how the company moves forward based on what was learned from the breach.
In the end, lets all hope that this breach will be a learning event for Heartland and all businesses.
@st0rmz
The reality is that the Trustwave have an inscestuous relationship PCI DSS considering that Trustwave adminster the DSOP on behalf of AMEX.
I have also been told that Bob Russo of the PCI Security Standards Council (PCI SSC) previous role was at Trustwave but I have not been able to locate a reference to confirm this (i.e. it is not listed on his LinkedIn Profile, etc) so it may be hearsay.
Posted by: cmlh | March 25, 2009 at 05:14 PM