A Thing
The Green SheetGreen Sheet

Friday, January 23, 2009

Heartland's call to action

On Jan. 20, 2009, Heartland Payment Systems Inc. reported it had been victimized by hackers who compromised an unknown number of cardholder data accounts. To foster transparency, as well as reassure businesses, Heartland notified its entire roster of over 150,000 merchants to help them understand the breach and what it means to them.

"We have a very dedicated staff here who believe solid, trusted relationships with our merchants are more important than anything else," said Jason Maloni, Spokesman for Heartland. "This stands right alongside our respect and appreciation for data security, which we hold very dear. We here at Heartland are just sick about what happened, so we're acting as quickly as possible to make certain that it never happens again."

Critical data missed

Heartland believes it was the victim of a global cyber fraud operation. But, according to Heartland, no confidential merchant data, Social Security numbers, unencrypted PINs, addresses or telephone numbers were stolen.

"As deeply regretful as we are, it is important to note that in most of the cases the information would be card number and expiration date only," said Robert Baldwin, President and Chief Financial Officer of Heartland. "The majority of the data breached did not have names or other personally identifiable information available to the bad guys. So there's nothing our merchants need to worry about."

Band together

Over the past three days, Robert O. Carr, Heartland's founder, Chairman and Chief Executive Officer, has spent significant time on the telephone to personally support merchants. He has also been speaking to many payments industry leaders about working together to fight the cyber criminals who breached Heartland's system and continue to victimize companies and consumers worldwide.

"Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same – or slightly modified techniques – over and over again," Carr said. "I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

Paul Martaus, President of payment consultancy Martaus & Associates, believes the best way to deal with this issue is to build a coalition of processors to create security measures that enhance the Payment Card Industry (PCI) Data Security Standard (DSS).

But Martaus blames the card brands, which control PCI DSS and the PCI Security Standards Council that implemented the standard, for being inattentive to the global threat to data security. "Those guys should be on top of this but they're not," he said. "So their efforts need to be supplemented and bolstered by the industry. We've got to get off this punitive bandwagon and get on with protection. We can bring those [cyber thieves] down if we work together."

More than just PCI

Carr has been a strong advocate for industry adoption of end-to-end encryption – which protects data in motion as well as data at rest – as an improved and safer standard of payments security. Heartland believes this technology does not wholly exist on payment platforms today. The Princeton, N.J.-based company is "more committed than ever before" to developing this solution and deploying it as quickly as possible.

Maloni echoes Carr and Martaus that the payments industry must go beyond the mandates of the PCI DSS to better combat future attacks.

"It's not an indictment on the industry," Maloni said. "It's just a statement of fact that the bad guys are simply very, very good at what they do. We know some good lessons are going to come out of this. We certainly have our eyes open to what we can learn, and we hope new standards and new procedures emerge in order to establish better and higher levels of security."

end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing