Hundreds of millions of private credit card records stolen from PCI card processor

Credit card payment processor Heartland Payment Systems announced this week that hundreds of millions of credit card transactions were stolen last year.  This latest hack far eclipsed the 45 Million TJX Companies records lost from 2004-2007.  The stolen data includes names, credit/debit card numbers and expiration dates.

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

Heartland reportedly determined the source of the breach last week as a piece of malicious software.

Heartland Payment Systems is a member of the Payment Card Industry’s (PCI) small group of payment processors. Any business that handles credit card data, from an end merchant through processors and the issuers themselves, are part of the PCI. Established by a consortium of Visa, Mastercard, American Express and others, PCI is one of the largest commercial groups creating a minimum security requirement for their members. The Data Security Standard (DSS) calls out far more specific protection requirements across it’s members than anyone outside of the Federal/military, and apply those protections for each phase of a credit card’s processing. The final list of 12 rules includes items such as encryption, firewalls, intrusion detection, log management, and authentication/authorization. The PCI DSS’ final implementation date was over two years ago, in 2007 after a two year extension. Each member had to pass an audit by a qualified assessor, and if a member was not in compliance, they were typically given a set amount of time to come into compliance.

One thing that does stand out is Heartland’s insistence that no Social Security numbers, unencrypted PINs, or addresses/telephone numbers were disclosed. These are specific requirements of the DSS – it interests me whether the lack of disclosures occurred because the data were not collected, or if the data were simply encrypted. As mentioned earlier, encryption is one of the PCI DSS requirements. Encryption may eventually be broken, although by using the latest algorithms the information is typically expected useless by the time it is finally disclosed. The European Union requires limiting the collection and storage of data to the minimum absolutely required. This prevents accidental disclosure, such as the inmates medical records loss in the UK. Within the CIPP reference guide, good privacy policy in the US should follow this sort of minimalistic attitude.

In the next iteration of the PCI provisions, aptly named the Payment Application DSS, all programs that handle credit card information must have application layer protections embedded in the system by 2010. This should take care of many threats due to network data pilfering, but will have considerably less effect on illegitimate software running on a bank’s systems. Hopefully it will result in lower business postage charges.


Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>