Heartland Data Breach: Is End-to-End Encryption the Answer?

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

The announcement by Heartland Payment Systems (HPY) that it will offer its merchants end-to-end encryption capabilities is seen as a positive step by industry experts. Yet, these same experts also warn that this measure will not solve all of the security issues that Heartland and other payment processors face from hackers.

In Heartland's first-quarter earnings call last Thursday, company officials said so far last year's well-publicized data breach has cost them $12.6 million. The amount includes legal costs and fines from Visa and MasterCard, both of which have stated the payment processor wasn't compliant with PCI standards at the time of the breach. Visa had taken Heartland off of its preferred payment processor list earlier in March after the breach was made public on January 20. Heartland announced it had been recertified and was reinstated onto Visa's list of PCI-DSS validated service providers on April 30.

The plans that Heartland announced will protect the company's processing network with an end-to-end encryption system. Company officials say plans are to begin rolling out the solution to its merchants in the third quarter of this year. The merchants would pay for the installation of the equipment, but Heartland is already spending "millions" on developing the technology solution with a yet-unnamed technology provider.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Is End-to-End Encryption The Answer?

Heartland is seen by some industry experts as making the right move in calling for a standard for encryption within the payment industry. But, the work required to get a standard accepted can take time, says David Taylor founder of the PCI Knowledge Base. "A standard is needed to make this work. In the absence of one, encrypted processing can be more of a 'customer lock-in' feature for the processors. It makes it that much harder to switch processors and/or acquiring banks because of the additional technical and procedural investment," Taylor says.

The drawback for each processor to offer their own versions of encryption is, "The more versions exist, the harder it will be to get merchants, processors and acquirers to adopt a standard," says Taylor. He knows from experience, as he worked in the EDI/E-commerce arena when standards were being developed in the 1990s. It took 10 years, "So I know it can take a long time."

Heartland Raises Bar on Security

Heartland is raising the bar in retail payments security by bringing end-to-end encryption to its network. It will be expensive and a big logistical challenge to execute, but the company has little choice other than to take a security leadership role on the heels of its near-catastrophic data breach last year, says Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy and Research. He compares Heartland's situation and action to the Israeli airline El Al's actions to bolster its security processes. "El Al, after it suffered repeated hijackings in the 1970s, went on to become the world's most secure airline. Heartland will need to do the same thing in the acquiring industry to regain the credibility it has lost," Wills notes.

As long as it's accompanied by good policy and process, Heartland's encryption initiative will plug a definite security gap in the payments system. "But just as with PCI compliance or any other security control, this shouldn't be viewed as 'finally providing security,' but rather as an important new security layer in a multidimensional system of layers," Wills says. There will always be a continually shifting set of threats and vulnerabilities: the trick is to track that moving target effectively via a feedback loop of continual risk assessments and security upgrades, he concludes.

As a top 10 payment processor, Heartland can have a substantial influence over payment card processing in the future. The proposal for end-to-end encryption is about the best Heartland can do as a processor, but it's limited by the processor's ability to influence change, says Avivah Litan, Distinguished Analyst, at Gartner Group, a Stamford, CT-based IT research firm. "In other words, for this to be very effective, it should ultimately work like PIN encryption works today - i.e., PINs are encrypted all the way from the merchant to the card issuers," Litan says.