(September 13, 2009) Among lessons learned by Heartland Payment Systems Inc. after the massive data breach at the merchant acquirer last year: Don’t necessarily hire the qualified security assessor (QSA) offering the lowest bid, says Robert O. Carr, chairman and CEO.

Processors and merchants need to hire QSAs in the same way they hire financial auditors, Carr said during a webinar on Thursday sponsored by Debix.

“We get bids but auditors pretty much will say ‘if we find something we feel has to be investigated further, we’re going to charge you more,’” he said. “Most of us agree to that. That’s the way it needs to be done in the QSA world.”

Prior to the breach, Heartland had been audited six times by qualified assessors as being compliant with the Payment Card Industry data security standard, or PCI, the major card networks’ common set of rules. “Our QSA reports were not worth very much—they didn’t really tell us much at all of value,” Carr said. “That doesn’t mean QSAs are bad people but it means that the system is not working very well."

Heartland used the bidding process when it hired the QSA that performed the audits before the data breach was revealed. “We went through the process with the QSA and they would ask us the questions and we would answer them to the best of our ability,” Carr said. “And we would get a report that everything is fine.”

But Carr noted that it’s unlikely that a QSA offering the lowest bid or to do “a full assessment for $15,000” will be able to do a thorough audit. “You don’t want somebody saying, ‘okay, I put in my hours’ and walking out the door,” he says. “That’s what happened not just to Heartland but that’s the way it’s being done today for many of the audits.”

An industry study found that there were 650 data breaches in 2008, including Heartland, “so obviously others were being breached at the same time,” Carr says.

Following the breach, Heartland hired a new QSA to audit its system. “We said find anything you can,” Carr said. “We don’t want a bid from you, we’ll pay you time and materials, and we want you to find everything possible and give us any weakness information that you can.”

During the webinar, Carr also outlined the steps Heartland took to ensure data security after discovering a so-called SQL injection into its system at the end of 2007. The injection—a series of instructions to access computer databases—often are used by hackers to install malicious software that seeks out, stores and transmits payment card numbers outside of a system.

The SQL injection occurred in a merchant-facing payroll page, not directly into the payment system, Carr said. “We found this SQL injection quickly and we cleaned it up, we thought,” he says. “Unfortunately, we learned 13 months later that the bad guys had gotten in through this SQL injection and we had not found it.”

Over a period of months, the SQL injection worked its way undetected into the payments network despite numerous security checks, including penetration testing of the corporate environment by a QSA in early 2008. “Nothing was found,” Carr said.

The malware eventually was uncovered in January by a forensic company hired by Heartland, he says.

Carr was scheduled to testify Monday morning at a U.S. Senate Homeland Security Committee hearing about protecting against cyber-attacks.