Group items tagged

A very heated reaction has followed the interview I conducted yesterday with Robert Carr, CEO of Heartland Payment Systems. One reader even said the resulting Q&A made his "blood boil." Why the outrage? Because Carr did something a lot of people find unacceptable. He threw someone else under the proverbial bus for his company's failure to keep customer credit and debit card numbers out of evil hands. Specifically, he thrust an angry finger at the QSAs who came in to inspect the security controls Heartland had in place to meet the requirements of PCI security. In the article, [Heartland CEO on Data Breach: QSAs Let Us Down] Carr said, "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that." That one comment brought down the house, and not in a favorable way. "I just read Bill Brenner's interview with Heartland Payment Systems' CEO Bob Carr and truthfully, my blood is boiling," Mike Rothman, SVP of strategy at eIQnetworks and chief blogger at Security Incite wrote in a counterpoint piece CSOonline ran today. "Basically, he's throwing his QSA under the bus for the massive data breach that happened under his watch. Basically, because the QSA didn't find anything, therefore he should be off the hook. I say that's a load of crap."

Two firms certified to asses a company's compliance with the Payment Card Industry Data Security Standards (PCI DSS) have been placed under remediation by the PCI Security Standards Council. Two firms certified to asses a company's compliance with the Payment Card Industry Data Security Standards (PCI DSS) have been placed under remediation by the PCI Security Standards Council. "We have a contractual relationship with the PCI Security Standards Council and they can pull our certification at any time," Bates said, adding that the firm is working wholeheartedly to remedy the situation. Chris Konrad, senior vice president of client services at Fortrex, did not return a phone call seeking comment. Fortrex's business is U.S-based. The company is in its sixth year assessing service providers and merchants. In addition to being certified to conduct payment application quality security assessments, the firm sells risk management consulting services. It is a reseller in security vendor Qualys Inc.'s PCI Partner Program, according to the company website. Qualys said its "program gives partners generous margins based on their level of certification." The PCI Council launched its quality assurance program for assessors in September to address growing concerns from merchants about the quality of their assessments and other issues. Merchants have complained that some QSAs don't appear to have the technical skills necessary to conduct a thorough assessment. Other merchants have raised issues with QSA's pitching security products during the assessment process. Merchants that receive negative feedback are placed on probation and a revocation process is in place if assessors do not address the issues identified by the council.