Heartland, Heartland, blah blah blah…

Posted by in Analysis on Jan 28, 2009

Everybody keeps talking about Heartland. Now, personally, I think the story’s been played out just a touch too much… but since everyone keeps talking about it, who am I to criticize? I’ll just go with the flow.

So, interestingly, the CEO of Heartland has gone on record saying that he’s concerned about the frequency of cyber attacks and that he wishes PCI has a requirement for encryption built into the process. Specifically, he said:

“I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week,” Carr said…The Heartland boss is also advocating the adoption of data encryption throughout the payments industry, as well as improved and safer standards of payments.

Umm… Is it me or does anybody else see something wrong with that statement? Like, the article isn’t real specific about where he wants there to be more cryptography, but it seems to me that there’s a number of cryptography requirements built into PCI already. For example: 2.1.1, 2.3, 3.4, the entirety of requirement 4, and so on… and so on.

If “render PAN, at minimum, unreadable anywhere it is stored…” isn’t clear enough, it goes on to describe using cryptography to do that. Based on what I’ve heard, I’m not sure how encryption would have helped here anyway. But I guess I’ll wait until there’s more data out there before calling them to task on that.

No, I think this is just an attention-diverting technique on the part of Heartland to say “it’s not our fault, there should have been more regulation”. The bankers said that too about the financial meltdown, and I’m getting tired of it as an excuse. I can’t use it in day-to-day life, for example. I can’t go on a kleptomaniacal rampage in the mall and then say, “well, I realized that there were laws about shoplifting, but really they weren’t specific enough. Rather than holding me accountable, why don’t we all join together in advocating more specific guidance. Like about not stealing pickled ribs… from Hickory Farms… during the post-holiday sale”?

It’s just dumb.

Search
  • http://www.securitycurve.com/blog/archives/000551.html SecurityCurve Weblog

    Less QQ about Heartland, more pew pew on Blizzard

    I really don’t want to talk about Heartland again. The discussion is tired in my opinion, but I want to once again go on record saying that PCI is fine, no matter says otherwise. The fact that Heartland was busted doesn’t mean that there’s something wr…

TwitterRssFacebook