Heartland CEO gets a smackdown after his CSO interview - Computerworld Blogs
If you are reading this, you probably know about Heartland Payment Systems and the credit card system breach they suffered in late '08 - early '09. There a lot of details to be found, so I won't rehash it all. So let's just focus on one point: Heartland had been declared PCI compliant before the breach. And that is the focus of Robert Carr, Heartland CEO, in his interview with Bill Brenner at CSO Magazine. He places the blame for his breach squarely on PCI DSS and the QSAs (Qualified Security Assessor) that audited Heartland's PCI compliance. And that is why Rich Mogull got out the can opener and proceeded to open a big can of whoop-a$$.
Honestly, Rich has already done a better job than I could do on explaining why Mr. Carr's statements were misguided at best. So I will just point out a few quotes and leave you to read the interview and the post.
Good for the CSO here. This is a recurring theme that we constantly try to state in our engagement of the responsibilities of the Board and the CEO. They have final say and responsibility of their compliance. Don't place blame on anyone else but themselves.
