"... Robert O. Carr, chairman and CEO of Heartland, has come out swinging... Carr has been pointing the finger at the payment industry itself for not going far enough with best practices. Heartland has taken advantage of several merchant associations to promote new initiatives that could revolutionize the payment card industry beyond PCI DSS compliance... Heartland is in the process of developing a true end-to-end (E2E) encryption solution for its merchants. What's different is that Heartland wants to be the first payment processor to ensure that data remains encrypted all the way from the point of sale through the processing by the card company."
That all sounds very nice. My question is this: why didn't Heartland pursue stronger data security methods sooner? Why did the company wait until after the largest data breach ever to decide to pursue stronger data security measures?
The tough stance by Heartland sounds like that old saying: the best defense is a good offense. It's an attempt to keep people focused on the new PCI-DSS guidelines, rather than focus on the hundreds of millions of consumer records stolen during the Heartland breach.
Remember, after the breach Visa and MasterCard had removed Heartland from their list of PCI-DSS approved vendors. And the notification to consumers has been less than optimal. About May 6, Heartland was added back to the list of PCI-DSS approved vendors. And:
"... at least MasterCard also imposed a hefty fine on banks using Heartland. The company also faces a class action lawsuit. Separately, Carr himself is under investigation from the SEC regarding a stock sale he made late in the 2008."
Don't feel bad for Heartland. The company is getting the appropriate consequences. The breach has cost Heartland $12.6 million so far in legal costs and fines from Visa and MasterCard.