Heartland is working on security – comments from the top may help you as you talk security with the business leaders running the accounts you call on…Some great sound bites sent over by a recent workshop attendee – thanks Tim!

COMMENT: Notice PCI isn’t enough.  It’s interesting that Heartland was considered compliant before the breach, but not after.  No change to the security system, just a failure to protect the data (something not listed in the PCI standards).

“Carr says that one lesson he’s learned from the breach is that the industry’s security standard, called Payment Card Industry or PCI, doesn’t go far enough. It’s the “lowest common denominator,” he says, adding that the audit didn’t detect the vulnerability that led to the hack even though it had existed for years.”

COMMENT: Heartland was not required to disclose this breach…read why!

“The laws typically cover so-called personally-identifiable information, which includes some sort of number in combination with a name. The data the hacker stole from Heartland only included credit-card numbers and bank codes. That was enough for the hacker to steal money from card holders’ accounts, but because there was no way for the bad guy to learn the identities of the card holders, Heartland wasn’t required under state laws to disclose the breach.”

COMMENT: Heartland’s voluntary response goes beyond PCI.  Remember Tylenol and the Solid Come Back?  I was there…working with McNeil at the time.  The proper response makes all the difference.

“Heartland is getting ready to roll out a more secure credit-card processing system for its customers. The new system, which will be available on a trial basis starting in the third quarter, will encrypt credit-card data from the time cards are swiped at a store until the data are delivered to the issuing bank.”

(Quotes from: http://blogs.wsj.com/digits/2009/06/17/heartland-gets-religion-on-security/?mod=rss_WSJBlog?mod

© David Stelzl 2009