GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

No train, no gain

News

Industry Update

Heartland clamps down on breach

Heartland's call to action

Money launderers game for online merchants

Friendly fraud raises fears

2009 Calendar of events

Features

Strong LINC in the payments chain

One council, one voice

Selling Prepaid

It's a wide, wide world of prepaid

Prepaid in brief

The prepaid landscape for 2009

Lessons learned from European prepaid

The benefits of tax refunds on plastic

Views

Make security a small-merchant priority

Scott Henry
VeriFone

Revisit that elevator speech

Biff Matthews
CardWare International

The long fingers of PCI

Ross Federgreen and Rick Allen

Education

Street SmartsSM:
Remain in service? Be of service

Jason Felts
Advanced Merchant Services Inc.

Stand by your plan

Jeff Fortney
Clearent LLC

Helping merchants help themselves

Christian Murray
Global eTelecom Inc.

Collecting opportunities

Curt Hensley
CSH Consulting

Totally tailored presentations

Daniel Wadleigh
Marketing Consultant

Get the FUD out of PCI

Tim Cranny
Panoptic Security Inc.

Company Profile

ProPay Inc.

ACH Payment Solutions

New Products

When taking debit becomes a snap

Snap-on Mobile Payment Device
Company: Motorola Inc.

A mobile printer for the payments jungle

EM 220
Company: Zebra Technologies Corp.

Inspiration

Ditch the dark side

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

February 09, 2009  •  Issue 09:02:01

previous next

Heartland clamps down on breach

Heartland Payment Systems Inc., one of the largest payment processors in the United States, learned in mid-January 2009 that it was a victim of a security breach. In late 2008, Visa Inc. and MasterCard Worldwide officials notified Heartland of suspicious activity associated with transactions the company processed.

Since learning of the attack, Heartland reported it has aggressively worked to ascertain the extent of the breach and its impact, as well as ensure the integrity of cardholder data.

Visa and MasterCard received reports of fraudulent card use from their issuing banks last November and subsequently notified Heartland. The two card brands then triangulated the path of the hackers' attack [tracing transactions back through cardholders, issuing banks and processors] and reportedly found sufficient evidence of a potential problem in Heartland's system.

Heartland hired two additional outside forensic auditors to assist its internal team immediately after it was informed by the card brands the company could be ground zero for the breach.

Compromised card data contained

"We have isolated the issue, and our internal forensic team and the [outside] forensic auditors consider it contained," said Robert Baldwin, President and Chief Financial Officer of Heartland. "This is something that we have been working aggressively and diligently on, and we continue to undertake a number of improvements in our data security.

"However, as we move forward, we believe the problems have been eliminated. And there is no suggestion or hint that any merchant will suffer any damage whatsoever."

Heartland's processing platforms contain over 600 million cardholder records, but security experts suggest data from significantly fewer accounts had been accessed or extracted. Heartland stated it does not know the number of cardholder accounts compromised. Baldwin added that it has been a challenge to discover precisely how it happened.

Getting the word out

"After putting the pieces together, we discovered quite a sophisticated attack on our processing platform," Baldwin said. "Since then we have been working on gathering as many facts as we can, with a focus on getting something out as quickly as we could. We notified our merchants and the organizations that process with us as soon as it was humanly possible."

After the breach was confirmed, Heartland immediately began containment measures, implementing additional security and risk management tools, as well as notifying merchants of the situation via a company press release on Jan. 20, 2009.

"We're dealing with a cleanup, of course, and it's a challenge, certainly, because our standards are already tight," Baldwin said. "We were certified PCI [Payment Card Industry] compliant last April. However, clearly the measures we had in place were inadequate to stop the attack. So, we will take an even deeper focus - along with a new sense of urgency - on achieving that much more security in our system."

Heartland is also allowing unrestricted access to its forensic audits by any payment organization requesting them.

"Heartland is willing to share file structures as well as all the information they have to help those people that have Windows-based applications with anti-virus software to determine whether or not they've been compromised," said Paul Martaus, President of consulting firm Martaus & Associates.

No magic bullet

According to Dr. Tim Cranny, Chief Executive Officer of security compliance specialists Panoptic Security Inc., there is no comprehensive cure-all against data breaches. "The first thing is that PCI does not make one bulletproof," Cranny said. "It puts you in the top category as far as the diligence and care that you're taking with security.

"There is real benefit in PCI, but remember that the mom-and-pops of the world have 1 percent of the expertise and resources that a Heartland does. It really comes down to taking a risk management approach, to look at all the things that can go wrong and try to deal with them. There's simply no pill you can take to make it all go away."

Payments could be paralyzed

Baldwin said Heartland executives have been in discussion with the U.S. Department of Justice and the U.S. Secret Service and were informed that this breach was committed by an international organization that has also targeted other U.S. processors and financial institutions.

"I am finding it hard to believe that we are not responding to an obvious act of cyber terrorism aimed at trying to disrupt the payment system of the United States, and it just blows me away that nobody sees it," Martaus said. "All of these intrusions are the work of one Russian mafia gang. And 15 other processors apparently have been attacked and no one knows about it."

Martaus suggested, however, that federal officials do know about these attacks but they're not telling anybody. "This should be a national emergency, and the Pentagon, the National Security Agency, everybody should be involved in this," he said. "This could absolutely destabilize the payments industry and bring it to its knees. A cyber terrorist attack, while not meant to destabilize the government or the economy, can do just that."

Solidarity to survive

To best combat future cardholder data compromises, Martaus and other industry experts propose building a coalition of processors to formulate how to best approach this issue, supplement the PCI Data Security Standard to increase protection standards and thwart future cyber attacks.

"This is serious, and the steps we take now - or the ones we don't take - will either save or destroy this industry," Martaus said. "Heartland is a victim in all this and we need to be proactive, not punitive, because it could cost us our livelihood. This is no joke."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios