In a lawsuit filed in the wake of the Heartland breach, the plaintiff’s attorneys allege that Heartland knew that the PCI DSS was “insufficient” to protect cardholder data. Specifically, the lawsuit alleges, “Heartland executives were well aware before the Data Breach occurred that the bare minimum PCI-DSS standards were insufficient to protect it from an attack by sophisticated hacker…” They base this allegation on an earnings call held the November prior to the breach in which the CEO states that Heartland will “move beyond” the PCI DSS, which was the “lowest common denominator” of security. The lawsuit uses that statement as evidence that the “industry standard” for security is actually set much higher. This is a chilling turn of events for many in the Payment Card Industry.

Essentially the effect of such a suit, provided the judge finds in the plaintiffs’ favor, is to provide dis-incentives to organizations to implementing security controls beyond those that are detailed within the PCI DSS. Why would they, when the result is that the organization takes on additional liability? The result of such a decision would be to encourage companies to do the minimum to meet compliance with the PCI DSS, lest they inadvertently set a new “industry standard” to which they will be held accountable in the event of a data compromise.
Further, many organizations have chose to make a “core competency” of security as a marketing advantage. By implementing additional security controls, organizations can achieve a competitive advantage - attracting new customers through the use of security expertise and a greater level of data protection. This strategic business decision is now in jeopardy, as well.

As data security professionals, we’ve all encouraged our clients to go beyond compliance and get secure. As business professionals, now we must ask whether the risk of going beyond compliance outweighs the risk of being insecure. If an organization simply achieves compliance and is breached, they can apparently make the claim that “We were PCI DSS compliant.” However, if that company implements controls beyond the level of strict compliance, are they going to be held to a higher standard? If the case goes in favor of the plaintiffs on this point, it sets the cause of Payment Security back five years - a “one-size fits all” compliance program once again takes precedence over risk-based information security management.