IMGCAP(1)]
This article appears in the January 29, 2009, edition of ISO&Agent Weekly.
The payments industry should adopt standards that require all sensitive cardholder data to be encrypted along the entire transaction process, contends Robert O. Carr, chairman and CEO of Heartland Payment Systems Inc. The transaction processor last week reported that hackers gained access to its network last year.
Heartland identified the breach as a "sniffer" program that made it past the company's antivirus software. The program delivered the card data including credit and debit card numbers and expiration dates it collected to fraudsters. The Princeton, N.J.-based processor has not said how many transactions were affected. On its Web site, Heartland says it annually processes more than 4 billion transactions.
In a statement, Carr says members of the payments industry must confer with each other to counter fraud efforts. "Up to this point, there has been no information-sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again," he said. Had Heartland known details about previous intrusions at other companies, it might have "found and prevented the problem we learned of last week," Carr says.
As more merchants adopt industry-security protocols, processors appear to be emerging as targets for fraudster at a "wholesale level," says David Fish, senior research analyst at Mercator Advisory Group LLC, a Maynard, Mass.-based consulting firm. "We will see more of it," he says. "The organized criminal community focusing on card fraud has gotten wise to the fact there is a lot of data within acquirers' walls that they can find a use for."
Updating The Network
Heartland has updated its processing network to enable "much more" analysis of potential transaction-security issues as they occur, Robert H.B. Baldwin Jr., Heartland president and chief financial officer, tells ISO&Agent Weekly. He did not specify details, but a Heartland statement says the move should help law-enforcement agencies to "expeditiously apprehend cybercriminals." Heartland has established a Web site for consumers at www.2008breach.com to explain the breach.
"This is something we are heartsick about," Baldwin says, noting security is a primary focus of the company. "This will redouble that focus to make us a much better company going forward." Baldwin says it is too soon to know the financial impact of the Heartland breach.
Heartland moved "quickly" upon discovering the breach, Baldwin tells ISO&Agent Weekly. "It is clear that card numbers and expiration dates were taken by the bad guys." In some cases, thieves stole cardholder names, Baldwin says.
Heartland notified MasterCard Worldwide, Visa Inc., American Express Co., Discover Financial Services, the U.S. Secret Service and the U.S. Department of Justice of the breach after it found evidence of the malicious software, he says.
MasterCard says it is monitoring the Heartland-breach investigation and is notifying issuers as necessary. Visa referred all inquires to Heartland.
All of the transactions, which include an undetermined mix of card-present and card-not-present credit and debit transactions, were made in the United States. Hackers did not get merchant data, Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers, Baldwin says.
The breach did not involve Heartland's check-management systems, Canadian payment services, payroll cards, campus products or micropayment operations, the company says. It also did not affect the company's Give Something Back charitable-donation service or its Network Services and Chockstone processing systems.
Heartland says the company used forensic-investigation auditors to identify the breach so the company could terminate the hackers' access.
Breached Processor Hires Encryption Specialist
Heartland Payment Systems Inc., the merchant processor that last week announced hackers captured an untold amount of transaction data in a network breach in 2008, has hired Steven M. Elefant as an executive director of a department in charge of developing encryption measures. He will oversee Heartland's work to encrypt sensitive payment data throughout the entire transaction process.
Late last week, Robert O. Carr, chairman and CEO of the Princeton, N.J.-based processor, called on the industry to adopt measures that encrypt payment data throughout the transaction process. Currently, payment data may enter the transaction loop connecting the merchant to the processor encrypted, but the information eventually must be decrypted, making it vulnerable.
Fraudsters are zeroing in on "data-in-transit" thefts because Payment Card Industry data-security efforts increasingly push merchants away from storing data, reducing the possibility thieves will seek stored data, says Trustwave, a Chicago-based payment-security company.
PCI standards are "good and effective, ... but the bad guys have become more sophisticated to the point where encryption of data in motion appears to be one of the next required steps," Carr says in a statement.
The first task for Elefant, a member of the U.S. Secret Service Electronic Crimes Task Force, is to work on getting encrypted card data from the point of sale to Heartland's switch.
