Heartland breach raises questions about PCI standard’s effectiveness

Ellen Messmer reports:

[…]

It’s not yet known if the Heartland data breach will count as the largest card heist ever. But some analysts say what is clear is that payment-card processors are under increasing attack, and that the Payment Card Industry (PCI) data security standard that Visa and MasterCard require isn’t sufficient to ensure cardholder data is safeguarded.

“Billions is being spent on PCI compliance, but it isn’t really working,” says Gartner analyst Avivah Litan. “PCI’s dirty little secret is that it doesn’t mandate encryption inside a private network because then all the processors would have to encrypt.”

Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered. But Litan notes the complex interconnections among payment-card processers, merchants and banks would make point-to-point encryption extremely unwieldy. End-to-end application-level encryption might be more feasible where card data is originated.

The irony, Litan says, is that some retailers today do encrypt using VPNs to send cardholder data to a payment processor like Heartland, but processors decrypt it to transmit it onward.

Read more on Network World

About the author: Dissent