In response to a data breach, Heartland Payment Systems Inc. plans to introduce encryption technology that exceeds industry standards — a shift that might attract customers and eventually lead to significant changes in the payment industry's approach to security.
The Princeton, N.J., transaction processor said its data security meets existing standards. But it also said that it has long considered encrypting card data within its systems, and that it was spurred to take action by the breach it disclosed last week.
"The incident has accelerated our resolve to move forward on this," Robert H.B. Baldwin Jr., Heartland's president and chief financial officer, said in an interview Wednesday. "Anybody in possession of sensitive data is only as good as their weakest link at any point."
In this case, the weak link was Heartland's authorization switch, which sends unencrypted account data to card networks for approval. Mr. Baldwin said the processor found this month a sniffer program that "was watching the transactions as they moved on to our authorization switch, not in the switch itself."
The Payment Card Industry data security standards, which was developed by the major card networks to govern how merchants and processors store and handle information, do not require data to be encrypted at that stage of the transaction, he said. "At that point, under current best practices, it is not encrypted."
Heartland's plan would introduce encryption the moment a card is swiped — which would have blocked the sniffer from observing any usable account data.
Mr. Baldwin said the ultimate goal is "end-to-end encryption," which would start at the point of sale, would include Heartland's systems and those of other processors, and would continue all the way through the card company networks.
To this end, he said Heartland is talking to other processors and terminal makers, which he would not name, about collaborating on an industrywide encryption program.
Heartland said Tuesday that it had formed a unit to develop and implement encryption capabilities. Steven M. Elefant, a longtime friend of Heartland's chief executive, Robert O. Carr, and the co-founder and former CEO of the payment technology company ICVerify Inc., was hired as the executive director in charge of the unit.
Avivah Litan, a vice president and research director at the market research company Gartner Inc., praised Heartland's attempts to work with other companies to promote end-to-end encryption.
Heartland "can't manage the whole industry, but they are setting a standard, and it would be nice if the rest of the banking industry followed, because then it really would be end-to-end," she said. "You're only going to solve this with stronger security measures."
The efforts are "definitely going to bring credibility" to the idea of introducing more encryption in the payment system, Ms. Litan said.
"There are some retailers that may switch to Heartland because of this, so it may become a competitive edge." However, "I don't see processors and retailers rushing into this in today's economic climate," she said. "They've already spent millions of dollars, billions of dollars, on PCI."
Heartland was compliant with the PCI standard when the company was audited in April, and its systems are being evaluated again now. Mr. Baldwin said that compliance is no guarantee against breaches, and that introducing encryption that goes beyond the current requirements would help.
"Unfortunately, the bad guys are also very good," he said.
Brian Riley, a research director in the bank card practice at TowerGroup, an independent research firm owned by MasterCard Inc., said that Heartland's goal of end-to-end encryption would "require cooperation throughout the entire card payments value chain."
End-to-end encryption "does add a layer of protection," he said, but it would not be a magic bullet; acquirers working with restaurants, for example, must contend with data issues when waiters take cards to another room to swipe them.
"Encryption will have no benefit for those transactions," he said. "You constantly have to be … looking where your vulnerabilities are."
Mr. Baldwin said the cost to Heartland would be "nontrivial, but not huge."
