Thursday, April 23, 2009

Bubble Gum and Baling Wire

People who know me will tell you I'm a little gun-shy on trusting our most sensitive data to the cyber-security of others. Call it an occupational hazard. I used to get paid to do bad things to others before truly bad people did it to them for real. It gives you a whole new perspective on things. Therefore, I take reasonable precautions (and some unreasonable ones).

Imagine my dismay when I received notice from my credit card company telling me that my card had been compromised. I always knew it was a question of when, not if. This message was originally posted to my credit card company's intra-web (which I never check) in January. I got a personal email from them yesterday in April.
We are canceling this account because of a recent non-[company] data compromise. You'll receive a new card with a new number to use. When you receive the new card, activate it immediately or your current card will remain active for 20 days after the postmarked date on the envelope containing your new card

Heartland Payment Systems, a national card payment processor, announced this week that it had experienced a security breach within its processing system. We are working to identify members who may have been affected and will begin reissuing cards as soon as Saturday for those cards at greatest risk.
Of course I didn't click on any of the links in the email, but called my credit card company direct for confirmation. When I asked why they were so late in notifying me, the candid answer is that they simply had too many credit cards to check, and they had just identified me as an affected member. To their credit, they notified me the same day and put a new card in the mail the next.

But that still makes me not a Happy Camper. (The least of reasons was that it took me 10 years to memorize that credit card number.) The good news is that I don't appear to have any spurious charges on my account. The bad news is that anything that even smells like identity theft makes my hackles rise.

What stinks is that despite all my personal precautions, this data breach is something I had no control over whatsoever. Once the payment at the vendor is complete it goes directly to a payment processor company like Heartland, which is like a giant payment warehouse. All such processor companies must be PCI DSS compliant (credit card company security standard) and certified, but as the evidence has shown, that doesn't count for a whole lot does it?

While this amounts to a mere annoyance for me, it kind of highlights the fact that the whole system is put together with bubble gum and baling wire, doesn't it?

No comments:

LinkWithin

Related Posts with Thumbnails