More Companies Validated as PCI Compliant Breached
Despite the changes to PCI that went into effect in October 2008, more PCI-compliant entities are suffering security breaches. Added to the list of Hannaford, Best Western and Forever 21 are Heartland Payment Systems and RBS Worldpay. The Heartland Payment Systems breach was reported on January 20, 2009 in the midst of President Obama's inauguration. While the extent of the breach is unknown, some commentators are speculating that it could be the biggest breach in history. Heartland reportedly processes 100 million transactions a month, but is not certain how many payment cards were exposed. More information here. RBS Worldpay suffered a breach that reportedly exposed 1.5 million cardholders, and resulted in 100 instances of fraud. The breach included not only cardholder data, but also involved the Social Security numbers of about 1.1 million account holders. More information here. These incidents again raise the question as to the efficacy of PCI. Of course it is possible that these processors made a mistake in validating their PCI compliance. Nonetheless, premilimary reports indicate that the Heartland breach was caused by malware installed behind Heartland's firewall on its internal network. Assuming PCI was complied with, the issue becomes whether or not encryption during transmission over Heartland's network would have prevented the exposure, and the further question will be whether failing to encrypt internally is "unreasonable" as a matter of law (getting to a T.J. Hooper rationale). More to come I am sure. Lawsuits? Regulatory scrutiny? Will this be a Card Systems or TJX situation, or something less severe? ISC will keep you posted.