In a recent development, Heartland Payment Systems will pay American Express $3.6m to settle claims related to the criminal breach of its payment processing network last year.
During this security incident, which is disclosed by HP in January 2009, (incident took place during 2008) millions of credit card data has been stolen exploiting the security vulnerabilities in the web sites. Albert Gonzalez AKA .segvec,. .soupnazi. and .j4guar17 has used the SQL injection techniques to steel the card data. As the SQL injection techniques exploits the web application vulnerabilities, the firewall protection was not adequate or rather it can bypass the conventional network firewalls. The decade-old technique exploits web applications that fail to adequately scrutinize text that visitors type into search boxes and similar website fields that accept user-supplied input.
Though the actual cost of this incident could be much higher than the settlement amount as they have to account for the reissuing of the cards, settlement of any disputes etc.
Now the key is the vulnerabilities in various systems. How can an organization detect such vulnerabilities, even during the assessments by QSA, ASV or other parties are not detecting it?
It is important to have Security as active participant in the software development life cycle. Another option would be to procure applications which are PA-DSS certified.
Is it still going to save the company? protect the card holder information? May be.