Heartland Payment Systems CEO Robert Carr has likened his company's massive data breach to the Tylenol moment when product contamination led to an overhaul in packaging safety. It's likely Carr has had a few Tylenol moments himself in the past couple of months as he dealt with perhaps the largest data breach ever, though the actual number of cards compromised is undisclosed.
Now Carr is using his standing in the industry - he founded Heartland and enjoys healthy respect among processors - to call for industry-wide reform of payments technology and information sharing about exploits to prevent criminals from successfully deploying the same hack on multiple targets. Lots of industry players agree with his stance, but there's been scant input thus far from the industry's most influential parties: including titans such as MasterCard, Discover and Visa, which are mostly mum on the subject.
"Our concern is that an underlying principal of PCI compliance is that data can be held in its native form - unencrypted - as long as it is properly protected within a corporate firewall," says Bob Baldwin, CFO of Heartland, with corporate firewalls only as strong as their weakest link. "What we're trying to do in end-to-end encryption is have the data always remain in its encrypted form from the moment of the swipe to the moment it gets to the association."
It's easy to make a case that the Heartland breach should be a louder call for industrywide action than Hannaford or TJX; the company is one of the leading processors, moving 11 million transactions each day, and was known to have invested heavily in its security. And, it had passed its latest PCI audit. "I think it's more serious, how much worse can it get than a top 10 processor?" says Avivah Litan, Gartner vp. "Plus, it's a much bigger target. Visa's next."
Litan's in agreement with Carr that now's the time for the industry to pony up for end-to-end encryption. Some POS terminals can already encrypt data, processors can encrypt data while it's in their environment, and issuers could theoretically accept encrypted data and decrypt it in their environment. The problem is without an agreed-upon standard - though triple DES would likely work - there are "air gaps" between each of the players that even PCI doesn't address.
Still, it'd likely be worth the trouble. "I would say the cost of putting end-to-end encryption in place would be lower than the all the PCI security costs and the breaches," Litan says.
Mastercard, American Express and Discover declined to comment for this story. Visa issued a statement noting its support of encryption through its VisaNet endpoints, an authorization and settlement encryption product, but noted that few processors are pursuing encryption in their environment because of the complexity and expense.
Instead, Visa is sticking to its guns with the PCI standards. "...While no guarantee, maintaining compliance with the PCI DSS remains the best protection against a data compromise. Forensic reviews of past data breaches have indicated that no compromised entity has actually been in full compliance with PCI DSS when its breach [occurred]," the company said in a written statement.
Bob Russo, general manager of the PCI Security Standards Council, says the organization is studying new tools like end-to-end encryption, tokens and EMV, and how use of these might pre-empt the requirements of PCI compliance. But Russo doesn't see the Heartland breach as a watershed moment in payments security.
Of course there are tech vendors that vow to have the silver bullet to solve the problem. One is smart card vendor Gemalto, which has been a major player in the adoption of EMV "chip-and-pin" adoption at POS terminals worldwide. "End-to-end encryption security based on smart card technology is a world-wide proven technology that reduces fraud," says Jack Jania of smartcard vendor Gemalto. "I think the US has just been postponing the inevitable."
Carr is not a lone voice in the woods in calling for some payments industry soul-searching, but he is too diplomatic to point his fingers directly at Mastercard, Visa and the issuing banks. Not everyone is. "It's time for them to start dictating, 'Here's what needs to be protected,'" says Voltage Security founder Matt Pauker. "They need to worry less about what vendors offer today and more about what the ideal state is."
A Transparent Clearinghouse?
The creation of an exploit clearinghouse that would make specific, but perhaps confidential information about security breaches available to the industry has legal and inertia challenges. It was only a day or two after the Heartland breach was announced before the first class action lawsuit was announced; if done in a totally transparent way, coming clean with exactly how they were compromised in a timely fashion could be detrimental to the company's legal defense.
But offering the insight in an anonymous fashion to a confidential clearinghouse organization could get around many of the legal issues, if only someone would step up to lead the initiative, and pay for it. Banks in the UK are privy to some of this kind of collaboration via APACs, but there's no analogous organization here to take the reigns. Heartland is working with industry peers and government or quasi-governmental agencies that have indicated support for the effort, but no agreements were announced at press time. "It'll take some months," Baldwin says. "The big question being what kind of financial resources does this require?"