Lessons from the Heartland Breach

Heartland Payment Systems announced on January 20, 2009 that they had experienced a huge data breach. This breach came almost soon after the breaches of  Hannaford and TJX, two other payment system companies. Despite the arrival in PCI DSS data breach laws there has been an increase in data compromises of 47% from 2007-2008. It makes one think, if companies are PCI DSS complaint then how could private data be at risk of breach? 

 Many writers have recently written about their views on the PCI DSS. Many believe that the breach is evidence that the PCI DSS system of data protection is inefficient. Despite the opinions of these writers, the increase of data breach does not prove, or show evidence of a flawed system. It does show however, the difficulty to effectively protect personal data.  

There are several aspects that must be considered when investigating a data breach, such as, the type of data being stored, how and why it is stored, and how it is being protected. The way that data is compromised should also be given thought.  To predict every threat to data is almost impossible, the best one could do is limit the risk to an acceptable degree.  

PCI DSS compliance issues have become the main focus with companies in the industry rather than security. Some feel that it is better for business if the merchants and other companies are not well informed on the PCI DSS. The companies put their trust in the PCI DSS and expect there information to be kept safe and not at risk.  Many companies have not been interested in understanding information security and the difficulty in protecting data. Many are hiring experts for PCI compliance and expecting data security when the PCI DSS standards are not up to par.  

In short, data thieves are winning the battle of data security. Education of security strategies and risk management should be the goal of companies instead of a compliance based approach to risk management. Data thieves are always becoming more creative, organizations need to become more creative in protecting the data. All companies are experiencing difficulties on data security as shown by the Heartland data breach. Clearly, the PCI DSS data security standard should be reevaluated.