Well, Mordaxus got the story, but I’ll add some links I found interesting or relevant.
StoreFront BackTalk has From The Heartland Breach To Second Guessing Service Providers. Dave G at Matasano added “Heartland’s PCI certification.” The Emergent Chaos time travel team already covered that angle in “Massachusetts Analyzes its Breach Reports:”
What’s exciting about this is that we’re seeing the PCI standard being tested against empirical data about its effectiveness. Admittedly, the report jumps to conclusions from a single data point, but this is new for security. The idea that we can take a set of “best practices” and subject them to a real test is new.
Rich Mogull points out that:
This was also another case that was discovered by initially detecting fraud in the system that was traced back to the origin, rather than through their own internal security controls.
IDS users, vendors or advocates care to comment on why that’s happening?