« A busy Monday in the security-sphere | Main | Is the sun going down on the Cisco empire? »

August 12, 2009

Heartland CEO thought QSA’s would make him compliant and secure

Bill Brenner (one of my favorite real media types) has a great interview up on CSO online with the CEO of Heartland. Robert Carr, Heartland Payment Systems CEO blames his QSA’s for not investigating the already known “common attack vector” that allowed the malware to be planted on his systems. In reading the article it was pretty apparent to me that he made a common mistake. He thought the QSA’s where there to make him both secure and compliant.  They are not the same and the QSA job is tomake him compliant. I guess they did, but that didn’t help him be secure.

Of course after the fact everyone gets religion.  Carr says that PCI is just a minimum set of standards and does not make you secure.  Mr Carr that does not make your QSA audits fraudulent as you call them though. It just means you were only compliant. But PCI was not the only thing Carr was compliant about. He was compliant with not taking security seriously.  Doing the minimum and spending the minimum to do what he had to. Now of course he is creating industry groups to share security info. He is spending millions on security products to protect and encrypt.

Isn’t that the real travesty of our industry though?  Only after the cows have run out and the barn has burned down does anyone really give a crap.  Even by his own admission with what happened to him and his company, when he goes to talk to others in his industry the feeling is still it can’t happen to them. What will it take? Does every single one need to to have a security incident?

I am sorry to say that this just proves what many of us already knew. People don’t take security seriously until it is too late!

Reblog this post [with Zemanta]

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e20120a4ed0f56970b

Listed below are links to weblogs that reference Heartland CEO thought QSA’s would make him compliant and secure:

» PCI Compliance Around The Web from PCI DSS Compliance Blog
It’s been an interesting couple of weeks in the PCI compliance world, with no shortage of aspersions cast toward PCI standards specifically, and the payment card industry in general. PCI proponents, though, aren’t taking the criticism lightly, choosin... [Read More]

» PCI Compliance Around The Web from PCI DSS Compliance Blog
It’s been an interesting couple of weeks in the PCI compliance world, with no shortage of aspersions cast toward PCI standards specifically, and the payment card industry in general. PCI proponents, though, aren’t taking the criticism lightly, choosin... [Read More]

Comments

My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Blog powered by TypePad
Member since 10/2005