Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants:

http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm

I took a moment to see if they were PCI Compliant and they were audited in March 2008 by Trustwave:

http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-%20January%2015%202009.pdf

QSAs cannot be held liable for customer breaches, but seeming the compromise occurred only a few months after their final audit it does bring into question PCI DSS auditing practices and whether or not they're just 'tick in the box' or actually leave companies with a long-lasting compliance strategy that actually helps merchants/service providers remain compliant.

I'm hoping this wakes companies up to the risks of dealing with credit cards and it highlights the fact that just because they've ticked all the boxes in an audit doesn't mean they can slack off for the rest of the year, play golf and let hackers help themselves to valuable customer records.

Especially in times of recession, criminals will always be one step ahead. Point security solutions don't necessarily help, but ensuring the integrity of core systems and ensuring a full independent audit trail is essential to help combat the ever increasing likelihood of successful intrusion.