Heartland CEO thought QSA’s would make him compliant and secure
Bill Brenner (one of my favorite real media types) has a great interview up on CSO online with the CEO of Heartland. Robert Carr, Heartland Payment Systems CEO blames his QSA’s for not investigating the already known “common attack vector” that allowed the malware to be planted on his systems. In reading the article it was pretty apparent to me that he made a common mistake. He thought the QSA’s where there to make him both secure and compliant. They are not the same and the QSA job is tomake him compliant. I guess they did, but that didn’t help him be secure.
Of course after the fact everyone gets religion. Carr says that PCI is just a minimum set of standards and does not make you secure. Mr Carr that does not make your QSA audits fraudulent as you call them though. It just means you were only compliant. But PCI was not the only thing Carr was compliant about. He was compliant with not taking security seriously. Doing the minimum and spending the minimum to do what he had to. Now of course he is creating industry groups to share security info. He is spending millions on security products to protect and encrypt.
Isn’t that the real travesty of our industry though? Only after the cows have run out and the barn has burned down does anyone really give a crap. Even by his own admission with what happened to him and his company, when he goes to talk to others in his industry the feeling is still it can’t happen to them. What will it take? Does every single one need to to have a security incident?
I am sorry to say that this just proves what many of us already knew. People don’t take security seriously until it is too late!