Does Heartland Blame its QSAs?
Rich Mogull’s stern admonitions (http://securosis.com/blog/an-open-letter-to-robert-carr-ceo-of-heartland-payment-systems/) to Robert Carr, the CEO of Heartland Payment Systems, after Carr’s interview by CSO Online () are shrill and overstated. Mogull took several paragraphs to refute something attributed to Carr that never appeared in the Carr interview: that Carr blames his QSAs for his breach.
In the article, Carr never blamed his QSAs for the breach. Carr does say, “The audits done by our QSAs were of no value whatsoever,” and he later says, “The false reports we got for 6 years (from our QSAs), we have no recourse. No grounds for litigation.” While these statements might imply that the QSAs were to blame, they are a long way from making that assertion.
Carr expresses frustration that nothing his QSAs did in any way prepared Heartland to discover or defend against the attack. An aggrieved shareholder might have said the same thing about financial audits at Enron; why didn’t the auditors tell us about the massive fraud? Or how about Lehman Brothers shareholders’ plight? Who should have told them about the impending crash? Carr’s frustration seems to be that when he looked at the contract with his QSA, he realized that the QSA had no obligation to tell Heartland about the possible existence of vulnerabilities that might be exploited.
It is ironic that Heartland will rely on those very same QSA reports as a key part of their defense against those who are suing them over the incident. Claimants will say Heartland “knew or should have known about the existence of an exploitable vulnerability.” Obviously, Carr intends to argue that Heartland relied absolutely on the QSA reports and was shocked, SHOCKED, when the breach was discovered only moments after their most recent PCI clean bill of health.
The weakness of Mogull’s argument is obvious from Carr’s and Heartland’s new commitment to leading edge security, focused on “data in transit” as well as major new initiatives in data loss prevention (DLP) that go well beyond the scope of the PCI-DSS. If Carr really thought his QSAs and not Heartland were to blame for the breach – as Mogull claims – why would Carr now embark on these initiatives? Would Carr not claim, “look at our PCI report and see that we are clearly doing enough to prevent breaches to cardholder data,” if Mogull is right?
Mogull’s patronizing letter goes on and on pontificating about Carr’s role as CEO and explaining the issues with accountability, roles and independence with which Carr obviously needs no help.
Mogull criticizes Carr for “rely(ing) completely on an annual external assessment to define the whole security posture of his organization.” This is an outrageous accusation against Heartland; one might infer that they had no security staff or that they were dolts. The fact is that Heartland did not “rely completely” on their QSAs and they can prove they didn’t. Of course, we do not know the contents of the confidential report given Heartland by its QSAs and we do not know whether the QSAs gave them a soothing reassurance that all was OK. We do know that Carr thought he paid his QSAs for more and only after he read the fine print did he discover that more was a pipe dream.
All of this lather shifts attention away from PCI-DSS. PCI-SSC and the card brands might consider a reduced system of fines for cases where the processor or merchant passed their PCI assessment but still experienced a breach. As we’ve seen with Heartland and CardSystems Solutions, having a breach is no fun and costs a lot. Adding punitive PCI fines seems to be piling on, a substantial infraction in the NFL, yielding a 15-yard penalty and automatic first down. And it would really help if PCI-SSC would stop saying “We’ve never seen anyone who was breached that was PCI compliant.” This is an absurdity that perpetuates the fiction that (a) having a PCI certificate equates to being secure, and (b) following PCI is enough.
Bottom line, rants like Mogull’s do not help because they unfairly characterize the Heartlands of the world as trying to weasel out of accountability for security. We should instead be asking how companies like Heartland can better avoid breaches and provide them incentives for a positive track record, something that may be more effective than penalties and fines at this point. Like that old joke about 5,000 lawyers at the bottom of the ocean, PCI-DSS is a good start. But PCI-DSS is not the final word and PCI-SSC knows that. They have put out a request for comments and suggestions for improvements to version 1.2.