Major Data Breach Puts Millions At Risk

(CBS)  If the market meltdown, housing and bank crises weren't enough, U.S. consumers can now add the potential of massive credit and debit card fraud to the list financial concerns. A major processor of credit card transactions just disclosed its system had been hacked, putting millions of consumers at risk, reports CBS News chief investigative correspondent Armen Keteyian reports.

---

The cyber-thieves went straight to the heart of one of the biggest and most respected credit and debit card processing companies in the country, Heartland Payment Systems of Princeton, N.J.

"It could be the largest breach ever," said cyber law attorney Andrew DeVore. "It would dwarf the largest prior breach."

Sources tell CBS News that hackers cracked Heartland's computers as far back as May of last year. But it wasn't until last week, after being alerted to suspicious activity by Visa and MasterCard, that the company uncovered malicious software in its system.

Heartland, which acts as a middle man between retailers and banks, processes 100 million transactions per month at an estimated 200,000 merchants nationwide - mainly gas stations, bars and restaurants.

The company says about it has alerted about 150,000 of them, but CBS News found several that didn't learn about the breach until we told them.

"I'm disappointed from that point of view that they wouldn't be up front and proactive. Because customers trust us to protect their records and they are the keeper of the record,'' said bar owner Peter O'Connell.

Now there are concerns the public company has downplayed the danger to untold millions of consumers.

"I think the release of information was a bit manipulative in the timing," said security analyst Avivah Litan of Gartner Group. "It was released on inauguration day, but the incident was known about for days before that."

The president of Heartland originally agreed to an interview with CBS News before canceling. We wanted to ask why the company's inauguration day in which it didn't even mention that millions of credit card numbers and expiration dates - the only information needed for fraud - were stolen.

Only today did Heartland say it doesn't know how many card numbers were compromised. It's only advice was for consumers to check their own statements to make sure they're not the latest victims of financial fraud.

[orlandovalle]

The Payment Card Industry Data Security Standard (PCI DSS) provides an enterprise structure for improving operational, security, and audit performance. The benefits of the PCI DSS go beyond audit costs and results, however.

As a security model, PCI requirements can help companies control compliance costs and build a more efficient and reliable IT infrastructure that delivers better service while incurring less risk.

There are six categories of PCI standards that must be met in order for a retailer to be deemed compliant.

Maintain a secure network
This standard refers to the actual network that cardholder data is exposed to. In the case of an online business, the most obvious vulnerability for this standard is the web server. Luckily, most hosting companies take responsibility for ensuring the security of their networks. However, there is more to this standard than meets the eye. Do you keep cardholder data (even just names) on a laptop that you use on public networks? Does your office network have a firewall installed and reasonable security measures in place?

In short, whenever any personal information about a cardholder is stored on a computer (which is also connected to a network), that computer is behind a firewall and all reasonable measures have been taken to protect that particular network.

Protect Cardholder Data
This category focuses on how cardholder data is stored and transmitted. Business owners that choose to store cardholder information have an obligation to protect that data. Protecting information means that not everyone can access that it. Businesses that store actual credit card numbers will often store them as encrypted data, so that even if someone got access to the database they still could not decipher the information in it.

Ecommerce businesses need to be especially critical of the way that cardholder data is transmitted. When a customer makes a purchase on a website, his/her cardholder information is sent across the Internet. During that transmission, cardholder data must be encrypted with at least a 128 bit SSL certificate in order to meet this standard.

Maintain a Vulnerability Management Program
This one is relatively simple, and translates to keeping up to date with your systems. Vulnerability exposure can be minimized by regularly updating computer hardware, operating systems and software. Keeping up to date anti-virus software, as well as running regular virus scans, is another requirement to meet this standard if your systems are susceptible to such vulnerabilities.

Implement Strong Access Control Measures
The most exploited breach in security is the human element, which is harder to protect. Part of meeting PCI compliance means limiting access to cardholder data to only those persons that need to use it. In addition to restricting physical access to cardholder information, business owners are also responsible for assigning a unique identification to each person that does have access.

Regularly Monitor and Test Networks
Networks that store cardholder data be monitored and tested regularly. Regular scans of security measures and processes, monitoring and tracking of network access to cardholder data are required to satisfy this standard. Consider signing up for a security testing and auditing service, such as ScanAlert's Hacker Safe program, which can help you to identify and fix potential security problems as they arise.

Maintain an Information Security Policy
Considering that humans are generally the easiest part of a system to hack, and also that ignorance does not relieve liability, it's important to draft and implement a company-wide information security policy. Make sure that your employees know and understand their responsibilities with regards to cardholder data before it becomes an issue.

The first step in PCI compliance is to meet the above standards. Credit card companies and financial institutions validate that vendors are abiding by the regulations, giving them ratings based on their volume of transactions. The rating that a company receives determines the process that they must go through in order to be validated. Next month, we?ll take a look at the four validation ratings, and what each rating means to a company.

For More Information go to freeequipmentnow

[bobnjersey]

[Only today did Heartland say it doesn''t know how many card numbers were compromised. It''s only advice was for consumers to check their own statements to make sure they''re not the latest victims of financial fraud. ]

so what''s the penalty to the company officers for allowing such a breach.

what''s that ... there isn''t any? how could this be?

how is it that every yahoo under the sun can store, trade, sell, and mine ''your'' sensitive data ... and you have no control over it or knowledge about what''s being done with it?

when is this going to be changed? is this even on the list of things for this congressional session to cover?

[kkcbs]

walt1944, why the hail Obama? That doesn''t make any sense...

[walt1944-2009]

The moral of this story is cut up your credit cards and pay them all off if you can, close the accounts and PAY CASH!!!!!

HAIL OBAMA!!!

[rwsmith29456]

As a representative from a major credit card company, and a conservative, I believe that it''''s always the customer''''s responsibility to make sure their money is safe. Even if the bank loses your information, it''''s still your responsibility. The people should always be accountable, never the good corporations. Yes, I deeply believe this. --------------------------------------------------------------------------------

I believe this is a troll.

[rwsmith29456]

What to do about this? Better security, better attacks. People will always try to get other people''s money. Bank vaults have been broken into, but I don''t think that has ruined as many people as thoroughly as having their financial good name trashed. Computers, especially networked computers are obviously NOT secure and won''t be for a long time, if at all. We have to face it. If your accounts are online they are accessable to hackers.

[hetup-2009]

I love it. Hack away boys and girls, drop this company to its knees. Free money for everyone until the collapse of the miserable banking system which is evil as the Devil.

[cbsblogger]

As a representative from a major credit card company, and a conservative, I believe that it''''s always the customer''''s responsibility to make sure their money is safe. Even if the bank loses your information, it''''s still your responsibility. The people should always be accountable, never the good corporations. Yes, I deeply believe this.

Posted by incog-nito at 07:31 PM : Jan 24, 2009
===================================

You exemplify why so called conservatives are fools. But I sense some cynicism here. Bush believes what you say, but most Americans don''t.

[cbsblogger]

Why isn''t this business being sued for billions for the damage to the reputation and financial harm of their customers? Until these business are held fully accountable it will be the customers who will always pay and the businesses will do nothing to prevent it.

[shatuga-2009]

MERCHANTS... not the banks, nor the cardholder, bear the burden for the fraud. Particularly online merchants. While cardholders have to check their statements and may have debit card accounts frozen and bounce checks and stuff, the Merchant bears the cost.

All of this would be a wash if all credit cards included a secret rotating code to use online, the way the paypal dongle works. It makes the cards more expensive. $10 or so each. But PCI compliance (what a joke) cost the industry TWO BILLION DOLLARS last year, and look at Heartland: Even that wasn''t effective.

If I were Obama and Congress I''d make the card associations pay for the fraudulent transactions that run through as a result of this breach. MasterCard and Visa: YOU ARE IRRESPONSIBLE!