How strong is the PCI shield?

Heartland CEO Bob Carr announced that they will fight any lawsuit because they were PCI certified at the time of the breach. Others including Hannaford plan to use the PCI shield as a way to protect their pocketbooks from lawsuits.

If being PCI certification meant that 1) your network was free from hackers, exploit, and vulnerabilities on a given date 2) that you were impervious to attacks from them until now, and 3) that certification equaled security, then I think they would be okay. But it doesn’t. PCI represents the minimum standard of security for merchants. Someone like Heartland will have a difficult time hiding behind their PCI certificate when they process over 100 million credit card transactions each month. Their policies, procedures, and best security practices should be so far above PCI that it never comes up.

All that being said, the sophistication of hackers today can go far beyond what even responsible business can handle and prepare for. We don’t know enough about the Heartland breach to know what level neglegence plays yet! That will ultimately be what will make them pay or not. I don’t believe their PCI certificate will help much.