With the potential to be the new poster child for data breach notoriety, Heartland Payment Systems of New Jersey responded quickly to its massive security breach.
After media reports surfaced in January that a malware vulnerability may have exposed up to 100 million cards (but not Social Security numbers, PINs, or private merchant data) over several months, Heartland officials contacted more than 150,000 merchant clients to explain how the breach occurred and what steps the 12-year-old payments firm has taken to prevent another one. Customers were also informed that both the Secret Service and U.S. Justice Department are investigating.
Going forward, Heartland promised to speed up the development of "end-to-end" encryption methods that would hide card numbers and other data from prying eyes, starting at the point-of-sale.
End-to-end encryption "will protect data in motion as well as data at rest - as an enhanced standard of payments security," chairman and CEO Robert Carr, said in a statement posted on Heartland's Web site.
Avivah Litan, a security analyst and vp at Gartner, applauds the firm's efforts to expand encrypted security, but says "what Heartland is doing, and they'll tell you this, isn't truly end-to-end. End-to-end is [encryption] from the retailer to the bank."
Even with a successful rollout of encryption to its full roster of merchant clients, Heartland would still need to decrypt card transaction data for eventual transit to thousands of issuing banks - a task that would require unprecedented levels of industry cooperation and standardization, well beyond the PCI Digital Security Standards (DSS) of the card industry.
The Heartland episode raises the question that gets underscored after each multi-million-account breach: can the complex U.S. payments environment derive a universal safety plan for a system mired in legacy technology, the mag-stripe, and disparate levels of security awareness?
"It's intrinsic," says Nick Holland, a senior fraud and security analyst for Aite Group. "When you've got a static card, you're going to have issues."
Holland adds a compelling financial crimes anecdote that indicates the vulnerability of the country's payments infrastructure: in the dark-side chat room circles where crooks sell off their stolen info, U.S. consumer data is the mother lode. "An American ID, as far as card details and a Social Security number, is 10 times more valuable than a European one," says Holland. "It's because of the ease with which that you can duplicate" cards and account credentials in the U.S., versus in the "chip-and-pin," or EMV, smart card standards in the United Kingdom and elsewhere in Europe.
The PCI DSS policy supported by MasterCard, Visa, Discover, American Express and Japan's JCB International has drawn critics who say it is ineffective, largely because its standards body, the PCI Security Standards Council, has no enforcement authority. A mid-2008 poll by card processor Merchant Link, for example, found that only 48 percent of restaurants met PCI requirements on data retention.
"I know that point-of-sale manufacturers are pushing out, to the far end, encryption at the point of card detail capture," says Holland. "But do you build an infrastructure where no one knows the card number, whatsoever?"
That's what retailers seem to want. In late 2007, the National Retail Federation recommended that issuers change data retention policies for retailers and merchants. NRF CIO David Hogan asked standards council to give merchants the option of handling returns and chargebacks through transaction authorization codes rather than credit card numbers.
"Credit card companies and their member banks would be the only ones with large caches of data on hand and could keep and protect their card numbers in whatever manner they wished," wrote Hogan, who did not return calls to US Banker.
The idea never gained any traction, according to Litan.