Post-breach, Heartland plans aggressive encryption project

Heartland Payment Systems plans to protect its credit- and debit-card processing network with an end-to-end encryption system that it will begin rolling out with its merchants in the third quarter.

After acknowledging in January that it suffered a data breach, Heartland today "is basically leading the way for the rest of the industry," says Gartner analyst Avivah Litan, noting that Heartland's plan for an end-to-end encryption system will be the first effort of its kind in the United States.

The system will be based on hardware and software that Heartland is spending millions of dollars to develop with help from soon-to-be-announced technology partners. Heartland has not yet publicly released the technical specifications.

Heartland processes about 100 million card transactions each month, and it's not yet clear exactly how much fraud was committed as a result of the breach, though Visa and MasterCard, as well as some banks, have indicated fraud can be traced back to the break-in.  (Heartland may discuss the breach impact in more detail in its financial earnings call tomorrow.)

"Sniffers were put on the network by bad guys," recalls Bob Carr, Heartland's chairman and CEO, describing how cyber-crooks were able to capture card information travelling in the clear between merchant point-of-sale devices and the processor's network.

Heartland's processing network is used by 175,000 merchant customers at 250,000 locations. Later this summer Heartland plans to have some merchants start using the specialized encryption equipment that it's developing. Heartland says it won't subsidize the cost of that gear, but would sell it close to cost. The long-term goal at Heartland is to require end-to-end encryption once the first trial period succeeds.

Litan notes that end-to-end encryption has already gotten underway in Spain among merchants and their processors. One element critical to its success there, she says, is keeping encryption key management simple for merchants.

In the United States today there is no established standard for end-to-end encryption of payment-processing networks. But Heartland is hoping to rally the industry around one based on the Advanced Encryption Standard (AES) that it's proposing to the Accredited Standards Committee X9 (ASC X9) in early June.

Accredited by the American National Standards Institute (ANSI) to work on standards for the financial-services industry, ASC X9 is expected to take up work on developing a new standard to protect cardholder data. But that could take years, Carr points out, and in the meantime the cyber-crooks aren't standing still.

Carr acknowledges that Heartland's plans to defend its network through encryption and its own ideas about an end-to-end encryption standard may not be fully in sync with current requirements for card security set by the Payment Card Industry Security Standards Council. 

This Wakefield, Mass., organization for several years has established technical security standards known as the PCI Data Security Standard set, which are referenced by banks and card associations, such as Visa and MasterCard, often as part of annual security reviews of any business handling payment cards.