Heartland Payment Systems, the victim last year of a massive data breach of sensitive card data, vowed after that devastating event to develop new security gear based on end-to-end encryption between itself and its merchants to prevent such a breach from occurring again. That's now taking shape, but slowly.
"We have a long way to go," acknowledges Heartland CEO Bob Carr, pointing out the so-called E3 payment terminals, intended for small-to-midsize customers, are but the first step, "with more advanced technologies coming in the summer" intended for use between Heartland's network and much larger merchants that would require more back-end integration into processing systems. "We're not ready to help all of them yet," he acknowledges.
There is as of yet no end-to-end encryption requirement for debit- and credit-card processing, though the Payment Card Industry (PCI) Security Standards Council, which sets technical standards used by payment processors and merchants, is expected to weigh in on that topic in its upcoming PCI standard this October.
Unwilling to delay action after last year's devastating discovery of a data breach that has so far cost it well over $100 million in fines and associated costs, Heartland has spearheaded its own multi-million-dollar end-to-end encryption technology effort to keep cybercriminals at bay. (Hacker Albert Gonzalez was caught and confessed to hacking Heartland's processing network and much more, and this March was sentenced to 20 years in prison.
"Every single breach I know of wouldn't have happened if our end-to-end encryption solution had been there," Carr says. He believes Heartland is the first to come out with a commercial deployment of end-to-end encryption with merchants.
Carr says the definition of end-to-end encryption may end up varying, but in the case of Heartland, it means protecting card data, particularly the track data, as it's being swiped at the merchant to the entry point to Heartland's network, and encrypted on through Heartland's network. However, this encryption now stops at the card brand point, such as Visa and MasterCard, and isn't encrypted on through to the banking points.
Carr thinks the most vulnerable points that hackers will try to exploit are in the interconnections between merchant and payments processor, but he acknowledges that as the industry evolves to better protect these routes, hackers will undoubtedly look for the weakest link in the chain.
The E3 terminals, built by Voltage Security and Uniform Industrial Corp., were custom ordered by Heartland, which isn't requiring its merchants to use them, but strongly recommending them.
"They do have to buy the devices," Carr says, noting they range between $300 to $500, which Heartland will finance for six months if merchants have cash-flow issues. But one incentive for using E3 is a guarantee from Heartland that if merchants using E3 are breached, Heartland will cover fines and forensic costs related to any breach tied to the stand-alone terminals. Heartland is also offering free help to smaller merchants in filling out PCI standard conformance forms, something that can be technically bewildering to them.
One looming issue in end-to-end encryption is interoperability if the industry adopts more robust processes for protection through encryption. But Carr is optimistic the industry will meet the challenge, saying the PCI Security Standards Council "is listening hard and being responsive."