Credit

Sobering Reminder

PCI-compliant payments processor discusses life after a data breach

From Mar 2009 | Tags: Credit, Executive Suite

Heartland Payment Systems, a major payment processor, is the latest victim of a data breach believed to have exposed an unknown number of credit and debit cardholders to the risk of fraud. In early January, chairman and CEO Bob Carr learned that the company’s systems had been compromised by malicious software (or malware).

Although the number of affected consumers affected remains unspecified, security experts fear that the Heartland breach could rival some of the largest data thefts on record. Disturbing as that news is, Heartland insists that cardholder Social Security numbers, unencrypted PINs, addresses and phone numbers were not at risk of compromise. In the vast majority of cases, the cardholder’s name was not at risk, either.

The breach is believed to be the work of a global cyber crime organization, possibly based in Eastern Europe. Criminal investigations by the U.S. Department of Justice and Secret Service are ongoing: Last month, three Florida men were arrested on hundreds of counts of credit card fraud linked to the Heartland breach.

In the weeks since the breach was revealed, executives of Princeton, N.J.-based Heartland have announced plans to introduce encryption technology that would take effect the moment a card is swiped. In addition, Heartland has formed a unit to develop and implement encryption capabilities and is calling for collaboration on an industry-wide encryption program. The ultimate goal, executives say, is “end-to-end encryption” from POS through to the card company networks.

STORES executive editor Susan Reda spoke last month with Carr about the breach, PCI certification and what the future holds for Heartland.

News reports have stated that more than 100 million cards may have been compromised. Is this a valid figure?
No, it’s not. At this point in the forensic investigation, we do not know how many card numbers were at risk of having been compromised. The numbers you have been seeing in news reports are only speculation on the part of reporters.

Have all of those cardholders been notified of the breach?
Heartland immediately notified the card brands of the incident and continues to work with them to protect consumers. Individual financial institutions, which – unlike Heartland – have the addresses for cardholders, are communicating directly with their cardholders as they see appropriate.

In addition to these efforts, Heartland disclosed the incident broadly to consumers by issuing press releases and launching a website (www.2008breach.com) that has updated information on the breach and identifies helpful resources for consumers.

Initially, the industry saw hackers going after online card-not-present types of payments. Then the bad guys switched to the card-present arena, targeting bricks-and-mortar retailers. Is the Heartland breach an indication that the next migration is to card processors?
It’s hard to say, but the bad guys are smart and getting smarter. It’s the responsibility of law enforcement authorities, payment systems and financial institutions to work together in an effort to stay one step ahead of the cyber criminals so these kinds of data breaches are stopped.

What are the potential ramifications to a processor in this situation?
One of the outcomes will be stronger security for Heartland, and we hope to encourage other processors and merchants to follow suit. We plan to introduce end-to-end encryption technology that exceeds current industry standards; we’ve created a special division devoted to this effort.

We hope to introduce encryption the moment a card is swiped so no outsiders can view unencrypted account data – even if they are somehow able to crack into the system at some point.

Looking back, what was it about your systems that you think may have made them more vulnerable? A source tells me your systems were proprietary. Could that have been a comprising factor?
No computer system is perfectly secure – even if it has been certified as being PCI compliant. That being said, we immediately took a number of steps to contain the breach and further enhance the security of our proprietary systems. Going forward, we’re continuing to examine our system from top to bottom to identify any other areas where we can improve. For example, we’re planning to implement a next-generation program designed to flag network anomalies in real time.

Show full page

Comments

Post new comment

Your name:

E-mail:

The content of this field is kept private and will not be shown publicly.

Homepage:

Subject:

Comment: *

Input format

Filtered HTML

Web page addresses and e-mail addresses turn into links automatically.
Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><img>
Lines and paragraphs break automatically.
Images can be added to this post.
You may use [inline:xx] tags to display uploaded files or images inline.
You may use [block:module=delta] tags to display the contents of block delta for module module.
Image links with 'rel="lightbox"' in the <a> tag will appear in a Lightbox when clicked on.
Image links with 'rel="lightshow"' in the <a> tag will appear in a Lightbox slideshow when clicked on.
You may use <swf file="song.mp3"> to display Flash files inline

gcal_events

Web page addresses and e-mail addresses turn into links automatically.
Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
Lines and paragraphs break automatically.
Images can be added to this post.

More information about formatting options

Word verification: * Type the characters you see in this picture.

(verify using audio)

Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.

Sobering Reminder

Comments

Post new comment

Related Articles