Hit by a massive data breach last year, Heartland
Payment Systems has turned a near-disaster into an opportunity to
set new standards of security in the processing industry. The US
payments processor provided Charles Davis with insight into its
solution, based on seamless POS-to-processor
encryption.
Given up by many for dead after last year’s massive data breach,
Heartland Payment Systems instead has used the tragedy as
inspiration for a top-to-bottom remake of the company’s security
systems, and now is ready to unveil an entire new line of
business.
Heartland’s response is an end-to-end encryption architecture and
processing methodology designed to solve both the root problem of
hacking attacks and restore the company’s reputation. Like Johnson
& Johnson’s now-famous tamper-proof lid developed after the
1980s Tylenol poisoning which helped restore confidence in the
Tylenol brand, Heartland is hoping its end-to-end encryption
product will similarly inspire confidence in its security
systems.
The task seems daunting, but Heartland already is gaining adherents
as it prepares to launch in the fourth quarter its own security
module complete with its own line of POS terminals for both credit
and debit transactions.
Jason Maloni, a spokesperson for Heartland, told EPI that CEO
Robert Karr is “taking lemons, and making lemonade”.
“What happened to us was a travesty, but we are using that travesty
to build a better solution for our clients, one that will ensure
that nothing like [last year’s data breach] ever happens again,”
Maloni said.
“This is a massive undertaking, and one that revolves around
end-to-end encryption as the beginning and ending point.”
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataHeartland is investing heavily in its end-to-end encryption (E3),
based on the guiding principle that the problem with security is
all about the money: remove the economic incentive for a breach,
and there will be fewer of them and, when they do occur, the damage
is far easier to contain.
Maloni said that Heartland recently completed the first phase of
its end-to-end encryption pilot project, handling more than 1,000
transactions from seven pilot retailers in Indiana and Texas, and
added that the E3 network will be ready for live launch in the
fourth quarter.
The first step involved the transmission of live Advanced
Encryption Standard (AES) encrypted card transactions from a
merchant to Heartland’s processing platform. AES is the highest
level of encryption and is currently on track to replace the Data
Encryption Standard and Triple DES as the desired standard for
sensitive data.
According to Heartland, this is the first time encrypted
transactions have been sent from a merchant’s card reader to and
through a major processor’s payments network.
“The cards were read by our newly developed pilot tamper-resistant
security module terminal,” Maloni said. “The data was encrypted as
the electronic digits left the magnetic stripe and entered the
hardware device. The data was then successfully transmitted to and
through our processing platform for authorisation and
settlement.”
‘Best solution available’
Typically, cardholder data is unencrypted as it leaves a merchant’s
terminal and is not encrypted until it is either tokenised in a
gateway or at rest in the processing platform’s data warehouse.
This means cardholder data in transit is at risk of being
compromised should it get in the hands of cyber criminals or
hackers via such methods as network or memory sniffer
malware.
To protect data throughout the lifecycle of a credit, debit or
prepaid card transaction, Heartland is developing end-to-end
encryption technology designed to encrypt the transaction from the
card read through our network and ultimately through transmission
to the card brands.
“This is the best security solution available for payment
transactions,” Maloni said. “It is a huge move forward for us as a
company. Our total attention turned to reconfiguring the network so
this can never happen again.”
For Heartland, E3 protection involves five payment zones. Zone 1
covers transactions from data entry/card read at the merchant to
the authorisation network of the processor, then on to Zone 2,
which covers transactions from entry into the authorisation network
of the processor through all points in which data is in motion
within the network(s) of the processor and its
sub-contractors.
Zone 3 covers transactions while the data resides in a central
processing unit or a host security module, and Zone 4, in a direct
access storage device or archival storage. Finally, Zone 5, from
the processor to the authorisation and settlement centers of the
card brand or issuer.
Whenever a transaction transits from one zone to another, it must
pass through a Host Security Module or tamper-resistant security
modules for a decrypt and re-encrypt cycle much the way pin debit
has been done in what Visa calls “security zones”.
Once the transaction leaves Zone 4, Heartland will have to decrypt
the card data and send it in the clear into card brands’
authorisation and settlement systems using secure direct
connections. This is the final loose end in the end-to-end
encryption story.
A major question for encryption in general is the passage of
encrypted data into the card brands and the willingness of the card
associations to accept it. Heartland reports productive discussions
with major card brands and has received a commitment from one major
card brand to take encrypted data into Zone 5 and the issuing
domain.
Anchoring Heartland’s merchant-side solution is its new line of
terminals, or tamper resistant security modules, which turns card
data into enciphered bits.
Heartland is applying this approach to all card transactions, not
just PIN debit. It has also upped the security ante by using AES
rather than 3DES as the encryption algorithm. Heartland also is
working with established US equipment and software manufacturers to
implement their TRSM devices into the company’s E3 approach.
Maloni said Heartland also has been instrumental in the formation
of the Payment Processors Information Sharing Council – a group of
competitors in the payments industry exchanging information about
breaches, hackers and other potential security problems.
At the group’s original face-to-face meeting, CEO Karr handed a
memory stick with the code found on Heartland’s systems during the
data breach to the 36 competitors there, Maloni said.
“That set the tone,” Maloni said. “We are deadly serious about this
never happening again.”