More on Heartland…this attack serves as a great case study on compliant vs. secure.  The recent Heartland attack mirrors that of TJX, who lost somewhere between 50 and 100 million credit card numbers over a three year period.  Recent USAToday reports indicate that this attack also started with an insecure wireless network in a store which was connected to Heartland.  Once on the network, thieves made their way into Heartland, setting up Trojan technology allowing them to sniff out credit cards being processed.  Heartland was PCI complaint!  A similar loss occurred in a recent attack on Hannaford Brother grocery stores – another PCI compliant establishment.  Hannaford lost 4.3 million credit cards.

Sales people often cave in when the client draws a line between assessments and remediation.  Don’t give into this sort of thinking.  It may not work on the government side, but assessments and audits differ, and solution providers that secure data must start by assessing risk.  If a firm claims to be compliant, security is still outstanding.

http://blogs.usatoday.com/technologylive/2009/01/heartland-could.html – this recent article reveals some of the litigation awaiting Heartland…Why didn’t their technology solution provider sell them the right security?