Floors and Ceilings

Heartland update from WSJ: Heartland Gets Religion on Security

Aside from the scale, the breach stood out from the hundreds of others reported each year because Heartland had recently passed a security audit.

Carr says that one lesson he’s learned from the breach is that the industry’s security standard, called Payment Card Industry or PCI, doesn’t go far enough. It’s the “lowest common denominator,” he says, adding that the audit didn’t detect the vulnerability that led to the hack even though it had existed for years.

Carr also believes that the vast majority of breaches go unreported. He says that around 300 companies were victimized by the same hacker as Heartland, but that most have never come forward. He points to loopholes in the state laws meant to protect consumers in the event of a data breach as the reason.

I could not agree more with the emphasis added bold text. This is not a slam of PCI just reality. Setting a minimally acceptable floor is an important maturity step just not the only one. Anyway, shooting closer to the ceiling than the floor, it looks like Heartland is going to use Voltage's end to end encryption.

Comments

There was a great Dilbert cartoon a while back on "best practices" that I think you'll appreciate:
http://dilbert.com/strips/comic/2008-09-03/

Posted by: Ben | June 24, 2009 at 02:12 PM

http://handscrapedwoodfloors.com

Posted by: hand scraped wood floors | November 07, 2009 at 06:17 PM