Thursday, August 13, 2009

On Heartland VI

No time to comment on this, but aggregating this sudden revival of “the Heartland saga” is A MUST at this stage.

  • Heartland CEO Carr interview with CSO Magazine titled “Heartland CEO on Data Breach: QSAs Let Us Down.” Notable quotes are: "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem”, “The false reports we got for 6 years, we have no recourse. No grounds for litigation,”  “up until this point, we certainly didn't understand the limitations of PCI and the entire assessment process” and “PCI compliance doesn't mean secure.” Niiiiice. Also, why-oh-why did Bill ask that last question “What should companies be asking in terms of the insider threat?” Why did ya, Bill? :-)
  • Mike Rothman freaks out and goes on a rampage in “One Man's View: Heartland CEO Must Accept Responsibility.” Notable quotes are: “my blood is boiling”, “It's about time organizations suffering from a data breach owned up to the fact that they made a mistake”, “inevitably it will happen again”, “you cannot outsource thinking” (my personal fave!), “they [QSA] are not there to tell an organization whether they are secure or not – that […] is the responsibility of the internal security team”, etc.
  • Rich Mogull freaks out in unison and goes on a rampage in “An Open Letter to Robert Carr, CEO of Heartland Payment Systems.” Notable quotes are: “Your attempts to shift responsibility to your QSA are the accounting equivalent of blaming your external auditor for failing to prevent the hijacking of an armored car”, “Their [QSA] role isn't even to assess your security defenses overall, but to make sure you meet the minimum standards of PCI”, “Unless your QSAs were also responsible for your operational security, the only ones responsible for your breach are the criminals, and Heartland itself.”  BTW, this is the post where you have to also read the comments!
  • Andy reads all this and freaks out as a result in “Will the real leader please step forward.” Notable quotes: “If we can’t trust them to be responsible in this then how can we trust them to be responsible in any other way.” The rest of his comments are too strong even though this is my personal blog.
  • Branden from VeriSign coolly adds in “Bob Carr: "QSAs let us down." And Things Never Heard by a QSA.” He also thoughtfully reminds everybody that their PREVIOUS QSA, not CURRENT one did it. Notable quotes are: “The article is a fantastic read, but also slightly humorous in nature”, “Some QSAs WILL let you down. You get what you pay for, and some QSAs may not do a good job.”

Enjoy! Will add more as the come.

Possibly related posts:

Dr Anton Chuvakin