Heartland Payments CEO says end-to-end encryption could prevent card, data breaches

Published: 2 February 2009 y., Monday

 

Nearly one week after news emerged of the big data breach at Princeton, N.J.-based merchant acquirer Heartland Payment Systems Inc., it remains unclear how much damage actually happened and who did it. One report suggests Heartland’s breach-related legal liabilities could approach $98 million, an estimate a Heartland spokesperson dismisses as speculative.

The spokesperson tells Digital Transactions News on Monday that the so-called “sniffer” program secretly planted on one of Heartland’s payment-processing platforms was not being used when investigators found it about two weeks ago. “It was inactive,” the spokesperson says. “I want to be specific to say it was inactive,” he adds, clarifying that the hackers hadn’t deliberately disabled or deactivated it.

Robert Carr, Heartland’s chief executive, meanwhile, issued a statement calling for better industry cooperation and new operational procedures to prevent future data compromises, including industrywide, end-to-end encryption to fully protect cardholder data. Heartland uses encryption, but industry procedures leave data unencrypted during one brief point of the authorization process—a weakness that hackers have learned to exploit. Carr also said Heartland is working on its own system of end-to-end encryption.

Heartland last week said it learned late last fall of the malicious software, or malware, that captured unencrypted card numbers during the authorization process. The spokesperson on Monday said Visa Inc. and MasterCard Inc. first alerted Heartland about suspicious activity sometime in late October or early November. Despite bringing in outside experts, it took until this month to actually find the program, which possibly could have been planted as far back as May (Digital Transactions News, Jan. 22). The spokesperson says he doesn’t know exactly when it was placed on the platform that processes 100 million transactions monthly from about 175,000 small and mid-sized merchant locations, but says it has now been contained and removed. “Our understanding is it was limited to being active in 2008,” the spokesperson says. “Unfortunately, it was very sophisticated.”

Citing unnamed sources, the online newsletter StorefrontBackTalk on Friday afternoon said the U.S. Secret Service “has identified an overseas suspect” in the Heartland breach, but offered no other details other than to say the U.S. Department of Justice is involved and that the suspect is “outside of North America.” Neither the Heartland spokesperson nor a spokesperson for the Secret Service, which is investigating the breach, would confirm that report. “I have nothing on that story,” says the Washington, D.C.-based Secret Service spokesperson.

A foreign connection would not be surprising. In announcing the breach Jan. 20, Heartland said in a release, “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.” Many of the suspects the DoJ charged in connection with the record payment card breach at retailer TJX Cos. were foreign nationals (Digital Transactions News, Aug. 6, 2008).

Besides the missing details about the breach itself, another big unknown is the financial hit Heartland will take. Heartland faces possible lawsuits or bills from credit and debit card issuers for breach-related fraud losses and card reissuance. Some observers have speculated Heartland’s breach could be bigger than TJX’s, which may have compromised up to 94 million card numbers. Although public reports of actual fraud linked to the Heartland breach have not yet surfaced, local press stories monitored by Digital Transactions News report that many community banks and credit unions are reissuing cards whose numbers were compromised when customers made purchases at Heartland merchants. At least one issuer is reissuing about one-third of its card portfolio. Others are taking a wait-and-see approach, telling cardholders to be alert for possible misuse. The nation’s biggest banks—JPMorgan Chase & Co., Citigroup Inc. and Bank of America Inc.—are giving few details about their responses to the breach.

In a report issued Sunday, investment bank Goldman Sachs Group Inc. estimated Heartland could face possible litigation costs of almost $98 million. In arriving at the estimate, Goldman Sachs estimated the affected platform’s 100 million monthly transactions came from 20.5 million unique cards, resulting in potentially 143.5 million cards compromised from May through November. Applying what it says were 68 cents in losses per card from the TJX breach, Goldman Sachs estimates Heartland’s possible liability is $97.7 million.

The Heartland spokesperson, however, dismisses that figure. “I think that is speculation,” he says. “We expect there will be some damages, but I think it’s very preliminary to put a figure on it.” In its report, Goldman Sachs said its assumptions were subject to change depending on further disclosures.

In a news release Friday afternoon, Heartland founder Carr said his company had added more than 400 merchant clients in the preceding few days, more than it did in the same year-earlier period, “despite the headwinds of the economy and attacks by some of our competitors …”. Carr issued a call for payments companies to share more information about the computer-related fraud they experience. “Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again,” Carr said. “I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week.”

In Heartland’s case, the thieves captured account numbers, expiration dates, and some cardholder names, but not confidential merchant data, Social Security numbers, unencrypted PINs, addresses, or telephone numbers.

 


 

Copying, publishing, announcing any information from the News.lt portal without written permission of News.lt editorial office is prohibited.

Facebook Comments

New comment


Captcha

Associated articles

DEA awards e-commerce contract

The Drug Enforcement Administration announced Nov. 26 that it has awarded a $6 million, two-year contract to PEC Solutions Inc. more »

Small victory

Via takes early round in graphics dispute with Intel more »

A trial date

Russian programmer gets April court date more »

Hardcore About Blocking Porn

The most people agree that work is the worst place for it to arrive. more »

Hardware vendors seek Web services opportunities

A host of IT vendors are jumping on the Web-based services bandwagon as hardware vendors realize the additional margins available from helping companies manage hardware from PCs to printers. more »

FBI software cracks encryption wall

‘Magic Lantern’ part of new ‘Enhanced Carnivore Project’ more »

E-Commerce Getting Ready for a Lean, Mean 2002

E-businesses are putting tech spending and other elements of their organizations on a much shorter leash in an effort to get ready for 2002, analysts say. more »

search.lt news

search.lt presents newest links more »

The report

Internet An Ideal Tool For Extremists - FBI more »

IT spend up 1% in 2001 - IDC

The "perfect storm" of the 11 September terrorist attacks, slowing global economy, and the telecommunications supply-demand mismatch, means that worldwide IT spending will only increase one per cent in 2001. more »