There is no “trying” in data protection

There is no trying when it comes to protecting your customer’s data: Heartland tries to rally industry in wake of data breach (Network World)
The CEO of Heartland Payment Systems (Robert Carr) is calling for the card payment industry to share security information and consider end-to-end encryption. 
Mr. Carr  is a strong advocate of  “end-to-end encryption — which protects data at rest as well as data in motion — as an improved and safer standard of payments security.”  However, his justification for not having it implemented properly before this breach,  is that this technology does not “wholly exist on any payments platform today. ”
Mr. Carr, with all due respect, I disagree.
Just because most existing door locks sold today are vulnerable to “bump key” techniques, does not justify anyone leaving their doors unlocked and turning off their alarms. That’s especially true in a high-crime neighborhood.
PCI-DSS compliance does not have to mean that a particular company has the right level of security maturity to support their business model. “Heartland was, at the time of the breach, and currently is, PCI compliant,” as reported by The Tech Herald.   
It has become evident that there is no such thing as “just enough security” by just getting the check marks on a PCI-DSS report. Data protection is a dynamic problem that requires a dynamic security, risk and compliance mitigation strategy. (continue reading...)