Monday, April 6, 2009
Heartland, one of the largest processors in the United States, revealed in January 2009 it had been victimized by a security breach that compromised the data of an unknown number of cardholders. The company was certified as Payment Card Industry (PCI) Data Security Standard (DSS) compliant in April 2008.
"There has never been a forum available specifically to the payments industry where we could share information on a confidential basis," said Robert O. Carr, Heartland's Chairman and Chief Executive Officer. "FS-ISAC … has the expertise, experience and infrastructure in place to immediately influence open lines of communication in the payment processing industry while protecting the confidential nature of sensitive information."
The FS-ISAC was established in 1999 in response to the May 1998 Presidential Decision Directive 63, "Critical Infrastructure Protection," which mandated every department and agency of the federal government be responsible for protecting its own critical infrastructure, including both physical and "cyber-based" information systems.
The directive – later updated by the 2003 Homeland Security Presidential Directive 7 – also directed public and private sectors to share information to help protect the country's critical infrastructure. The PPISC was founded to enable CEOs and other high-level officers of payment processors to network and thwart criminal elements attempting to steal sensitive cardholder data.
"The increasing frequency and success of cyber crime attacks are alarming concerns," said William B. Nelson, FS-ISAC's President and CEO. "Data security in the payment processing supply chain is critically important. By forming this council as part of FS-ISAC, we can be very effective in quickly focusing on these needs and expediting the disclosure of information and risk mitigation strategies that are crucial in the fight against cyber criminals."
Heartland spokesman Jason Maloni said the PPISC is Heartland's way of taking data security to the next level. "In addition to adding extra security measures, working with law enforcement and doing a deep forensic investigation, [Carr] wants to make certain that the bad guys are unable to replicate the same piece of malicious software that we encountered," he said, referring to the method hackers used to illegally access Heartland's system.
In March 2009, Visa Inc. revoked Heartland's PCI DSS compliance status, but Heartland expects it to be reinstated by May 2009. In the meantime, merchants who continue to process Visa transactions with Heartland will not be penalized. (For more information about this, see "RBS, Heartland PCI compliance revoked: What's next?" in The Green Sheet, April 13, 2009, issue 09:04:01.)
The PPISC will allow Carr and other Heartland executives to analyze what they know about Heartland's intrusion, discuss how hackers accessed the company's system and offer insights to help prevent the same thing from happening to other processors, vendors or merchants. "I think this is simply one more step in the direction toward improving the security for all players in the industry," Maloni said. "Heartland, of course, is fully behind PCI, but we also have to keep one eye open about what else is needed. It's not as simple as building a better mousetrap. Increased information sharing is essential, but it's also continually looking for solutions that stay ahead of those nefarious individuals and organizations out there that steal data."
The PPISC will hold its first meeting at FS-ISAC's 2009 Annual Member Meeting and Conference on May 5 from 1:30 to 6 p.m. at The Don CeSar Beach and Spa in St. Pete Beach, Fla. For more information, visit www.fsisac.com/events/spring_conference/2009/ or www.ppisc.com .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.