After Heartland Payment Systems Inc. announced a massive data breach in January, its chief executive officer, Robert O. Carr, issued a call to action, suggesting that payments players implement end-to-end encryption and share breach forensics among themselves.
Some dismissed the notion as a public relations ploy to distract from Heartland's culpability in the case, but Carr made good on his word this month by creating a group to help processors collaborate on fighting fraud.
About 30 people from 19 companies attended the inaugural meeting of the Payments Processing Information Sharing Council on May 4, and Carr called the event a success.
"I was concerned there would be jockeying by some of the companies to get a competitive edge," Carr said in an interview. "But there seemed to be genuine interest in doing what's best for each other and the industry."
He said the entire transaction processing industry could benefit from the anonymous sharing of information about breaches and tools to detect new variants of malicious software.
Analysts have applauded the effort, comparing the information-sharing concept to one that has an established track record in fighting other types of financial fraud, such as pump-and-dump stock schemes.
"I think it's a great idea," said Avivah Litan, a vice president and research director at Gartner Inc., a market research firm in Stamford, Conn. "One of the problems in the U.S. is that companies don't share enough information about fraud, and fraudsters don't restrict their attacks to one company."
The malicious software used in the Heartland breach — which has cost the company nearly $13 million to date — has reportedly been used against other transaction processors.
Given this, the group's first order of business was to distribute copies of the 14 pieces of malware that Heartland had uncovered on its systems after it realized it had been breached, along with software from the forensics investigative company Mandiant Inc. that can detect the malware.
The group is a subsidiary of the Financial Services Information Sharing and Analysis Center, which was formed in 1999 to help financial companies fight Internet fraud.
Carr said he sought the center's help in organizing the effort because of its success and proven architecture for sharing confidential information anonymously.
If the new group operates similarly to the analysis center, data about incidents will be shared anonymously and conference calls will be held to update members on significant data security developments affecting the processing industry. The council is open only to executives from transaction processors.
William B. Nelson, the analysis center's president and CEO, said he would like to conduct a mock breach so members can get some practice in dealing with a cyberattack.
"We want to test the ability of everybody to get on a call quickly, and how they would respond to the circumstances," Nelson said in an interview.
A phone meeting is planned for late June for people who were unable to attend the council's May 4 meeting.
One key subject the council does not plan to address is the efficacy of the Payment Card Industry's data security standard, which has come under increasing scrutiny as more, and bigger, breaches continue to affect the payments industry.
"We're not going to get into any big policy debates," Nelson said. "It's more an operational focus."
