The Green Sheet Online Edition
February 09, 2009 • Issue 09:02:01
Heartland's call to action
Shortly after Heartland Payment Systems Inc.'s Jan. 20, 2009, disclosure that it had been victimized by hackers who compromised an unknown number of cardholder data accounts, the company notified its roster of over 150,000 merchants to help them understand the nature of the breach and what it means to them.
"We have a very dedicated staff here who believe solid, trusted relationships with our merchants are more important than anything else," said Jason Maloni, spokesman for Heartland. "This stands right alongside our respect and appreciation for data security, which we hold very dear. We here at Heartland are just sick about what happened, so we're acting as quickly as possible to make certain that it never happens again."
Critical data missed
Heartland believes it was the victim of a global cyber fraud operation. But, according to Heartland, no confidential merchant data, Social Security numbers, unencrypted PINs, addresses or telephone numbers were stolen.
"As deeply regretful as we are, it is important to note that in most of the cases the information would be card number and expiration date only," said Robert Baldwin, President and Chief Financial Officer of Heartland. "The majority of the data breached did not have names or other personally identifiable information available to the bad guys. So there's nothing our merchants need to worry about."
Over the past three days, Robert O. Carr, Heartland's founder, Chairman and Chief Executive Officer, has spent significant time on the telephone to personally support merchants. He has also been speaking to many payments industry leaders about working together to fight the cyber criminals who breached Heartland's system and continue to victimize companies and consumers worldwide.
"Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same - or slightly modified techniques - over and over again," Carr said. "I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."
Paul Martaus, President of payment consultancy Martaus & Associates, believes the best way to deal with this issue is to build a coalition of processors to create security measures that enhance the Payment Card Industry (PCI) Data Security Standard (DSS).
But Martaus blames the card brands, which control PCI DSS and the PCI Security Standards Council that implemented the standard, for being inattentive to the global threat to data security.
"Those guys should be on top of this but they're not," he said. "So their efforts need to be supplemented and bolstered by the industry. We've got to get off this punitive bandwagon and get on with protection. We can bring those [cyber thieves] down if we work together."
More than just PCI
Carr has been a strong advocate for industry adoption of end-to-end encryption - which protects data in motion as well as data at rest - as an improved and safer standard of payments security. The Princeton, N.J.-based company is "more committed than ever before" to developing this solution and deploying it as quickly as possible.
Maloni echoes Carr and Martaus that the payments industry must go beyond the mandates of the PCI DSS to better combat future attacks.
"It's not an indictment on the industry," Maloni said. "It's just a statement of fact that the bad guys are simply very, very good at what they do.
"We know some good lessons are going to come out of this. We certainly have our eyes open to what we can learn, and we hope new standards and new procedures emerge in order to establish better and higher levels of security."
Beginning of end-to-end
In an effort to establish those higher security levels as quickly as possible, Heartland formed an internal department on Jan. 27, 2009, dedicated exclusively to the development of end-to-end encryption to protect merchant and consumer data used in electronic transactions.
For the past year, Carr has been advocating for the payments industry to adopt this technology - which will protect data at rest as well as data in motion - as an improvement to transaction security.
"PCI is an effective standard, but the bad guys have become so sophisticated that encryption of data in motion appears to be the next required step," Carr said. "There is no single silver bullet that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required.
"Nevertheless, I believe the development and deployment of this technology will provide the ability to implement increasing levels of security protection as they are needed," Carr said. "Heartland has been working on end-to-end encryption, but in light of our recent data breach and the impact cyber fraud has had on the public and processors nationwide, we are ramping up our efforts."
Heartland has brought in well-known payments expert Steven M. Elefant to spearhead the new department. Elefant is a member of the U.S. Secret Service Electronic Crimes Task Force and Infragard, a public/private partnership of the Federal Bureau of Investigation.
"I have known Bob Carr for more than 20 years, and we gained respect for one another as competitors in the 1980s and 1990s," Elefant said.
"I believe Heartland's desire to bring end-to-end encryption to the market and work with other processors to share information about cyber crime incidents are significant steps for our industry."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.