The Green Sheet Online Edition
April 27, 2009 • Issue 09:04:02
Slaying the breach elephant
To share information about data breaches and prevent cyber criminals' continued attacks on the payments industry, Heartland Payment Systems Inc. founder, Chairman and Chief Executive Officer Robert O. Carr extended an invitation to the top 25 merchant acquirers and their registered third-party processors to attend the inaugural meeting of the Payments Processor Information Sharing Council on May 5, 2009, from 1:30 to 5 p.m., in St. Pete Beach, Fla.
After Heartland revealed in January 2009 that it had been the victim of a security breach, Carr wanted to know whether similar breaches had occurred at other processors, and if such breaches had occurred, why Heartland and other potentially vulnerable processors had not been informed so they could have protected their cardholder data from the same type of intrusion.
"We now know that exactly what happened to us has happened to other people in the past," Carr said. "And we thought we should form an organization of processors to let them know what the bad guys are doing so they can't pick us off one by one."
Sharing is imperative
The PPISC's meeting in May is in conjunction with the Financial Services Information Sharing and Analysis Center's member meeting and conference.
The FS-ISAC is a nonprofit organization dedicated to sharing information among its members, the government and other infrastructure sectors such as telecommunication and utility companies. All parties receive alerts concerning cyber and physical threats as well as vulnerabilities and incidents of concern.
"I checked out the FS-ISAC, and everyone that knew them said they were a great organization and had already set up all the infrastructure to do this on a private and confidential basis," Carr said.
"The Secret Service and the FBI are also members. So I talked to Bill Nelson, their Executive Director, and we agreed the best thing to do was to set up a division of the FS-ISAC specifically for the payments industry, and that's how the PPISC got its start."
Three options dominate
Carr said there are three categories of alternatives for improving security standards that will be addressed at the meeting - tokenization, end-to-end encryption and chip and PIN.
"There may be other categories, but most of what people are talking about and concerned with fit into one of these three areas," Carr said "And in my view all three of those should be approved as higher standards, and then let the merchants decide what they want to use."
About 20 merchant acquirers and third-party processors are registered for the event. However, some of the people Carr contacted have not replied. "Sometimes we just don't know who to contact, so if The Green Sheet could help get the word out, I feel like this will encourage the right people to say, 'Hey, I should be there,'" Carr said.
Contact is welcome
In addition to a detailed forensic analysis of the Heartland attack and discussion of the detrimental effect of breaches on financial institutions, the meeting will identify goals for the PPISC and schedule future meetings.
"Now that acquirers and processors understand the purpose of this meeting, they can just send me an e-mail personally saying that they should be there, and I'll just deal with them directly about getting registered," Carr said. If you are an invitee or major third-party processor interested in attending, contact Carr at firstname.lastname@example.org. The meeting will take place at the Don CeSar Beach Resort; a reception and dinner will follow.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.