After Heartland Payment Systems suffered its massive breach in January, CEO Robert O. Carr issued a call to action, suggesting payments players implement end-to-end encryption and share breach forensics among themselves. Some dismissed this rant as a public relations strategy to distract from Heartland's culpability in the case, but Carr made good on his word in early May with the formation of the Payments Processing Information Sharing Council (PPISC).
Carr kicked off the inaugural meeting of the PPISC as a new subsidiary of the Financial Services Information Sharing and Analysis Center (FS-ISAC), firm in his belief that the entire industry would benefit from the anonymous sharing of information about breaches and tools to detect new variants of malicious software. Some 30 people from 19 companies attended the meeting, which Carr called a success. "I was concerned there would be jockeying by some of the companies to get a competitive edge," Carr says. "But there seemed to be genuine interest in doing what's best for each other and the industry."
Industry analysts have applauded the effort, comparing the information sharing methodology here to one that's been successful in other areas of financial services, such as pump-and-dump stock schemes. "I think it's a great idea," says Avivah Litan, Gartner vp and distinguished analyst. "One of the problems in the U.S. is that companies don't share enough information about fraud, and fraudsters don't restrict their attacks to one company."
The malware that enabled the Heartland breach - which has cost the company nearly $13 million so far - has reportedly been used against other processors. Given this, the group's first order of business was to distribute copies of the 14 pieces of malware that Heartland found on its systems after the breach, along with software to detect the malware, courtesy of forensics investigative company Mandiant.
After considering a number of organizations, the FS-ISAC was tapped to help organize the effort because of its success and proven architecture for sharing confidential information anonymously. A follow-up phone meeting is planned for late June, intended to include those who couldn't attend the kickoff meeting.
If the PPISC operates similarly to the FS/ISAC, data about incidents will shared anonymously via list serv, and conference calls held to update members of breaking news that they can react to. William B. Nelson, president and CEO of FS-ISAC, also envisions a planning exercise in which members go through the motions following a mock breach as if the incident were real. "We want to test the ability of everybody to get on a call quickly, and how they would respond to the circumstances."
What the group does not plan to tackle is the efficacy of the Payment Card Industry's Data Security Standard, which has come under increasing scrutiny as ever-larger breaches continue to plague the payments industry. "We're not going to get into any big policy debates," Nelson says. "It's more an operational focus."