Heartland Payment Systems' chief executive, Robert Carr, has likened his company's massive data breach to the Tylenol experience when product contamination led to an overhaul of packaging safety.
Carr has probably had a few "Tylenol moments" himself in recent months while dealing with what may be among the largest data breaches ever (the number of cards compromised remains undisclosed).
Now Carr is using his standing — he founded Heartland and is respected among processors — to call for industrywide reform of payments technology.
Some observers agree with his stance, but there has been scant comment thus far from the industry's most influential parties, including titans like MasterCard Inc., Discover Financial Services, and Visa Inc.
"Our concern is that an underlying principal of PCI compliance is that data can be held in its native form — unencrypted — as long as it is properly protected within a corporate firewall," said Bob Baldwin, Heartland's chief financial officer. But corporate firewalls are only as strong as their weakest link. "What we're trying to do in end-to-end encryption is, have the data always remain in its encrypted form from the moment of the swipe to the moment it gets to the association," Baldwin said.
It is easy to make a case that the Heartland breach should be a louder call for industrywide action than other major breaches, including the incidents at Hannaford Brothers Co. or TJX Cos. Inc. Heartland is one of the leading processors, moving 11 million transactions a day, and was known to have invested heavily in security, and it had passed its latest PCI audit.
"I think it's more serious: How much worse can it get than a top 10 processor?" said Avivah Litan, a vice president and research director at the market research company Gartner Inc. "Plus, it's a much bigger target. Visa's next."
Litan agreed that now is the time for the industry to pony up for end-to-end encryption. Some payment terminals can already encrypt data; processors can encrypt data while it is in their environment; and issuers could theoretically accept encrypted data and decrypt it in their environment.
The problem is that, without an agreed-upon standard — though triple DES would probably work — gaps exist between each player that even PCI does not address.
Still, Litan said it would be worth the trouble. "I would say the cost of putting end-to-end encryption in place would be lower than all the PCI security costs and the breaches."
MasterCard, American Express Co., and Discover declined to comment.
Visa issued a statement noting its support of encryption through VisaNet, an authorization and settlement encryption product, but said that few processors are pursuing encryption in their environments because of the complexity and expense.
Instead, Visa is sticking to the PCI standard. Though it is "no guarantee, maintaining compliance with the PCI DSS remains the best protection against a data compromise," the San Francisco payments company stated. "Forensic reviews of past data breaches have indicated that no compromised entity has actually been in full compliance with PCI DSS when its breach" occurred.
Of course, some technology vendors claim to have the "silver bullet" to defeat the problem. One is smart card vendor Gemalto, which has been a major player in global adoption of the Europay-MasterCard-Visa security standard.
"End-to-end encryption security based on smart card technology is a worldwide proven technology that reduces fraud," said Jack Jania of Gemalto. "I think the U.S. has just been postponing the inevitable."
