Trustwave, a computer security firm, conducted its 2008 audit of Heartland on April 30 and deemed it compliant with Payment Card Industry Data Security Standards (PCI DSS). But shortly thereafter, the intruders began stealing batches of unencrypted card-track data from Heartland’s network, and continued doing so for months before being discovered.
[ http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/ ]
What is PCI-DSS anyway? It's a set of guidelines which must be met by organizations processing credit cards. It boils down to twelve points, which are listed here on this SearchSecurity article by Bill Brenner:
Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly monitor and test networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security
[ http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1245727,00.html ]
Reading the Wired article, you can see that the attackers did ensure that their sniffer application would not be picked up by Anti-Virus tools (rendering Requirement 5 useless). And they stole the data from on-the-wire on the internal network, behind the firewall (thus rendering Requirements 1 and 4 useless - the data was not being sent on a public network). It could be argued that the fact that the breach originated from a SQL Injection attack means that Requirement 6 was not met. However, the Trustwave audit would seem to have satisfied Requirement 11.
But basically, this points to one of the big issues with PCI-DSS: its vagueness. It is too easy for an organization to be deemed "PCI-DSS Compliant" but then be hit with an attack like this.
