Heartland CEO Blames Breach On PCI Auditors
Robert Carr, CEO of Heartland Payment Systems, blamed his company's possibly record breaking card security breach that it revealed in January on the firms the company hired to audit its compliance with card data security standards. In an interview with Computerworld magazine (www.computerworld.com), Carr expressed shock that not only had the firm's tasked with auditing Heartland's compliance with industry data standards failed to detect its potential vulnerabilities, they had been ignorant that thieves had been widely using a similar approach prior to attacking Heartland. "The audits done by our QSAs [qualified security assessors] were of no value whatsoever," Carr told the magazine. "To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that."