PCI does not guarantee security, learning lessons from Heartland

The January announcement about the crash of the security protection system occurred at Heartland Payment Systems was a sudden and hard blow to a great number of customers and institutions. Many entities has been still suffering the implications of the data leak when 45 million credit and debit cards were compromised by the cyber criminals which accessed the retailer's Wi-Fi systems.

What is notable here Heartland being one of the top payment processors in the U.S. was granted PCI compliance which certifies that the industry compliant with this standard has a top-quality security technology capable to protect customers’ data on a high level. The calamity occurred to Heartland should serve as a lesson to others. Even if the financial institution that uses electronic systems to process sensitive data has developed best instruments to encrypt and secure the information one aspect should not be underestimated – a live individual. Companies need to understand that while machines and electronics facilitate the production and the process they can easily be manipulated to do what a smart violator wants.

Ponemon Institute conducted a survey that polled 43 businesses which experienced a data breach. The results showed that 88% of all cases involved insider negligence.

"It's impossible to create an environment where you cannot have a data breach," said Larry Ponemon, founder and chairman of the Ponemon Institute. "Data breaches will probably continue even for the best of companies, but it's how you detect it, how you respond to it and how you manage the risk that matters most."

Organizations seem to not fully understand that the encryption cannot be viewed as a guarantee of that the data will not and cannot be exposed as long as what is encrypted should be unencrypted at the final end in order to be accessed.

"Malware detection is really critical so you don't have Trojans there when you deencrypt it," says Phillip Dunkelberger, president and CEO of encryption vendor PGP Corp.

PCI compliance is not a peak of where the financial industries should strive for. It is just a basis for protection while as some observers note vigilance is more important.

"The only way to do this right is a combination of good technology solutions and generally smart people who are educated and trained appropriately," Ponemon said. "You solve this problem by training people and giving them the tools to secure their data."