Heartland Payment Systems Inc. has completed the first test of an end-to-end encryption system designed to protect the cardholder data it handles from hackers.
The Princeton, N.J., processor, which disclosed a major breach in January, said Tuesday that it had run transactions from all four major card brands on the E3 system. However, the networks — Visa Inc., MasterCard Inc., American Express Co. and Discover Financial Services — do not accept encrypted data from Heartland, so it had to decrypt the data to complete the transactions.
Heartland said more than one of the card brands should be set up to handle encrypted data in the first quarter of next year, though it plans to begin selling the system even if the card brands are not ready by that time.
Though the company was working on an encryption system long before its well-publicized breach, Heartland executives said the incident led them to accelerate the project and discuss it publicly.
Steven M. Elefant, Heartland's executive director of end-to-end encryption, said that if merchants embrace its new system, it should ease some of their lingering worries about the Payment Card Industry data security standard.
"PCI is a good start, but PCI in and of itself does not keep people secure, so it has to be extended," Elefant said. "Part of what we offer with E3 is that the merchant will never have the ability to decrypt a card," so they would not be capable of exposing data.
Merchants have long complained about the cost of complying with PCI, which the networks enforce. The standard has come under stronger criticism since the Heartland breach. The assessments the processor had to undergo to certify its compliance had failed to discover its security shortcomings; only after the breach occurred was the processor declared to have not been in compliance.
Even Visa, the standard's most outspoken supporter among the card brands, has lately been describing PCI as a "minimum" set of security procedures.
Elefant said the largest merchants must spend millions to comply, and they face harsh fines if, like Heartland, they suffer a breach even after passing an assessment. Though E3 requires merchants to buy hardware, "they are willing to spend money to" encrypt "all of the card transactions that come through their system," he said. Heartland plans to indemnify E3 users of any fines they would be assessed under PCI if any incidents should occur after they put the system in place, he said.
The system was tested at a car wash in Plano, Tex. Over the course of the year, Heartland will repeat the test with hundreds of merchants, Elefant said.
Heartland said the payment process can be divided into five zones. The first zone is the card reader owned by the merchant, the next three are controlled by the processor and the fifth zone is the handoff to the card brands.
Without encryption, "all those transactions are in an open, clear-text format where anybody who is trying to sniff or capture or introduce malware can get that transaction information," Elefant said.
Under E3, the first six and last four digits of the account number are kept clear, but the rest are scrambled. Elefant said this gives the merchant enough information to identify the account for repeat transactions, but not enough for a fraudster to use the card if the data were stolen.
Avivah Litan, a vice president at the market research firm Gartner Inc., said Heartland should find a market for E3 among merchants, though there is no guarantee that using encryption will make things easier for merchants under PCI. "It's up to the PCI security council to tone down the requirement if you're encrypting end to end."
However, she said, Heartland's goal of getting the card brands on board by the first quarter of 2010 is "really optimistic." Though some have talked up the benefits of encryption, the card brands have not yet publicly committed to Heartland's system.