GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

No train, no gain


Industry Update

Heartland clamps down on breach

Heartland's call to action

Money launderers game for online merchants

Friendly fraud raises fears

2009 Calendar of events


Strong LINC in the payments chain

One council, one voice

Selling Prepaid

It's a wide, wide world of prepaid

Prepaid in brief

The prepaid landscape for 2009

Lessons learned from European prepaid

The benefits of tax refunds on plastic


Make security a small-merchant priority

Scott Henry

Revisit that elevator speech

Biff Matthews
CardWare International

The long fingers of PCI

Ross Federgreen and Rick Allen


Street SmartsSM:
Remain in service? Be of service

Jason Felts
Advanced Merchant Services Inc.

Stand by your plan

Jeff Fortney
Clearent LLC

Helping merchants help themselves

Christian Murray
Global eTelecom Inc.

Collecting opportunities

Curt Hensley
CSH Consulting

Totally tailored presentations

Daniel Wadleigh
Marketing Consultant

Get the FUD out of PCI

Tim Cranny
Panoptic Security Inc.

Company Profile

ProPay Inc.

ACH Payment Solutions

New Products

When taking debit becomes a snap

Snap-on Mobile Payment Device
Company: Motorola Inc.

A mobile printer for the payments jungle

EM 220
Company: Zebra Technologies Corp.


Ditch the dark side



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

February 09, 2009  •  Issue 09:02:01

previous next

Heartland's call to action

Shortly after Heartland Payment Systems Inc.'s Jan. 20, 2009, disclosure that it had been victimized by hackers who compromised an unknown number of cardholder data accounts, the company notified its roster of over 150,000 merchants to help them understand the nature of the breach and what it means to them.

"We have a very dedicated staff here who believe solid, trusted relationships with our merchants are more important than anything else," said Jason Maloni, spokesman for Heartland. "This stands right alongside our respect and appreciation for data security, which we hold very dear. We here at Heartland are just sick about what happened, so we're acting as quickly as possible to make certain that it never happens again."

Critical data missed

Heartland believes it was the victim of a global cyber fraud operation. But, according to Heartland, no confidential merchant data, Social Security numbers, unencrypted PINs, addresses or telephone numbers were stolen.

"As deeply regretful as we are, it is important to note that in most of the cases the information would be card number and expiration date only," said Robert Baldwin, President and Chief Financial Officer of Heartland. "The majority of the data breached did not have names or other personally identifiable information available to the bad guys. So there's nothing our merchants need to worry about."

Band together

Over the past three days, Robert O. Carr, Heartland's founder, Chairman and Chief Executive Officer, has spent significant time on the telephone to personally support merchants. He has also been speaking to many payments industry leaders about working together to fight the cyber criminals who breached Heartland's system and continue to victimize companies and consumers worldwide.

"Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same - or slightly modified techniques - over and over again," Carr said. "I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

Paul Martaus, President of payment consultancy Martaus & Associates, believes the best way to deal with this issue is to build a coalition of processors to create security measures that enhance the Payment Card Industry (PCI) Data Security Standard (DSS).

But Martaus blames the card brands, which control PCI DSS and the PCI Security Standards Council that implemented the standard, for being inattentive to the global threat to data security.

"Those guys should be on top of this but they're not," he said. "So their efforts need to be supplemented and bolstered by the industry. We've got to get off this punitive bandwagon and get on with protection. We can bring those [cyber thieves] down if we work together."

More than just PCI

Carr has been a strong advocate for industry adoption of end-to-end encryption - which protects data in motion as well as data at rest - as an improved and safer standard of payments security. The Princeton, N.J.-based company is "more committed than ever before" to developing this solution and deploying it as quickly as possible.

Maloni echoes Carr and Martaus that the payments industry must go beyond the mandates of the PCI DSS to better combat future attacks.

"It's not an indictment on the industry," Maloni said. "It's just a statement of fact that the bad guys are simply very, very good at what they do.

"We know some good lessons are going to come out of this. We certainly have our eyes open to what we can learn, and we hope new standards and new procedures emerge in order to establish better and higher levels of security."

Beginning of end-to-end

In an effort to establish those higher security levels as quickly as possible, Heartland formed an internal department on Jan. 27, 2009, dedicated exclusively to the development of end-to-end encryption to protect merchant and consumer data used in electronic transactions.

For the past year, Carr has been advocating for the payments industry to adopt this technology - which will protect data at rest as well as data in motion - as an improvement to transaction security.

"PCI is an effective standard, but the bad guys have become so sophisticated that encryption of data in motion appears to be the next required step," Carr said. "There is no single silver bullet that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required.

Outside expertise

"Nevertheless, I believe the development and deployment of this technology will provide the ability to implement increasing levels of security protection as they are needed," Carr said. "Heartland has been working on end-to-end encryption, but in light of our recent data breach and the impact cyber fraud has had on the public and processors nationwide, we are ramping up our efforts."

Heartland has brought in well-known payments expert Steven M. Elefant to spearhead the new department. Elefant is a member of the U.S. Secret Service Electronic Crimes Task Force and Infragard, a public/private partnership of the Federal Bureau of Investigation.

"I have known Bob Carr for more than 20 years, and we gained respect for one another as competitors in the 1980s and 1990s," Elefant said.

"I believe Heartland's desire to bring end-to-end encryption to the market and work with other processors to share information about cyber crime incidents are significant steps for our industry."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios