This is exactly what's wrong with corporations, and why we will continue to see data breaches. People like Heartland Payment Systems CEO Robert Carr obviously ...
- don't understand their responsibility to their customer
- don't understand security
- don't understand the role of compliance in overall security
- can't accept personal blame
..."Carr opens up about his company's data security breach. He explains how, in his opinion, PCI compliance auditors failed the company,.." (Network World, 8/12/09)That's right folks... PCI Compliance Auditors, not Heartland's pathetic security, failed.
So the next time you smash your car into someone else while drunk as hell... the car company failed you... because it's naturally not your fault, and you should not take any responsibility. This is what we're teaching people.
Another brilliant quote...
"What have you learned in recent months regarding how exactly the burglars were able to get in? What have investigators flagged in terms of the big security holes that were exploited?I think I'm going to be sick. Robert Carr, how do you sleep at night?
Carr: "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that.""