CU Info Security reports that a new master companion filed in a class-action lawsuit against Heartland Payment Systems claims Heartland CEO Robert Carr told industry analysts the Payment Card Industry Data Security Standard, or PCI DSS, was an insufficient protective measure.
According to the suit, Carr told analysts in November 2008 that he deemed PCI DSS feeble:
(We) also recognize the need to move beyond the lowest common denominator of data security, currently the PCI DSS standards. We believe it is imperative to move to a higher standard for processing secure transactions, one which we have the ability to implement without waiting for the payments infrastructure to change.
The complaint filed in the class-action suit alleges that Carr's comments confirm the PCI standards are minimal and that the actual industry standard for security is much higher:
Heartland executives were well aware before the data breach occurred that the bare minimum PCI DSS standards were insufficient to protect it from an attack by sophisticated hackers.
