Heartland counts the cost of security breech
Promises aggressive encryption project.
By Ellen Messmer, Network World (US) | Network World US | Published: 10:40, 08 May 2009
Heartland Payment Systems reported that the security breach it disclosed earlier this year has cost the company about $12.6 million (£8.4 million) so far, including legal costs and fines from MasterCard and Visa.
Heartland also detailed plans to protect its credit- and debit-card processing network with an end-to-end encryption system that it will begin rolling out with its merchants in the third quarter.
"We are in a cybercrime arms race," said Bob Carr, Heartland's chair and CEO, in explaining why Heartland intends to deploy the custom-built encryption equipment.
During the company's financial earnings call, Carr and other Heartland executives acknowledged the breach is proving a heavy financial burden and that there's no estimated total cost.
Heartland executives also strongly refuted MasterCard's assertion that Heartland did not respond quickly enough or appropriately to information it was given related to the breach. Without providing more detail, Heartland said it will contest MasterCard's assertions legally.
Heartland processes about 100 million card transactions each month, and it's not yet clear exactly how much fraud was committed when cyber-crooks tapped into Heartland's payment network. Visa and MasterCard, as well as some banks, have indicated fraud can be traced back to the Heartland breach.
"Sniffers were put on the network by bad guys," said Carr in an interview this week with Techworld's sister title, Network World, during which he described how cybercriminals were able to capture card information travelling in the clear between merchant point-of-sale devices and the processor's network.
At a meeting this week of the newly-formed Payments Processors Information Sharing Council, attended by about 30 industry participants, Heartland distributed on USB sticks some samples of the malware code it believes was used as part of the breach, in the hope this could help protect other companies.
To protect its own processing network, Heartland will roll out an end-to-end encryption system with its merchants, beginning with a trial project this summer, says Carr. The system will be based on hardware and software that Heartland is spending millions to develop with help from soon-to-be-announced technology partners. Heartland has not yet publicly released the technical specifications.
Heartland "is basically leading the way for the rest of the industry," says Gartner analyst Avivah Litan, noting that its plan for end-to-end encryption will be the first effort of its kind in the United States.
She adds that end-to-end encryption has already gotten underway in Spain among merchants and their processors. One element critical to its success there, she says, is keeping encryption key management simple for merchants.
But in the US today, there is no established standard for end-to-end encryption of payment-processing networks. Heartland is hoping to rally the industry around one based on the Advanced Encryption Standard (AES) it is proposing to the Accredited Standards Committee X9 (ASC X9) in early June.