Heartland Data Breach: Is End-to-End Encryption the Answer?Experts Say New Measure is a Start, but Industry Standards are Needed
In Heartland's first-quarter earnings call last Thursday, company officials said so far last year's well-publicized data breach has cost them $12.6 million. The amount includes legal costs and fines from Visa and MasterCard, both of which have stated the payment processor wasn't compliant with PCI standards at the time of the breach. Visa had taken Heartland off of its preferred payment processor list earlier in March after the breach was made public on January 20. Heartland announced it had been recertified and was reinstated onto Visa's list of PCI-DSS validated service providers on April 30.
The plans that Heartland announced will protect the company's processing network with an end-to-end encryption system. Company officials say plans are to begin rolling out the solution to its merchants in the third quarter of this year. The merchants would pay for the installation of the equipment, but Heartland is already spending "millions" on developing the technology solution with a yet-unnamed technology provider.
Is End-to-End Encryption The Answer?
Heartland is seen by some industry experts as making the right move in calling for a standard for encryption within the payment industry. But, the work required to get a standard accepted can take time, says David Taylor founder of the PCI Knowledge Base. "A standard is needed to make this work. In the absence of one, encrypted processing can be more of a 'customer lock-in' feature for the processors. It makes it that much harder to switch processors and/or acquiring banks because of the additional technical and procedural investment," Taylor says.
The drawback for each processor to offer their own versions of encryption is, "The more versions exist, the harder it will be to get merchants, processors and acquirers to adopt a standard," says Taylor. He knows from experience, as he worked in the EDI/E-commerce arena when standards were being developed in the 1990s. It took 10 years, "So I know it can take a long time."
Heartland Raises Bar on Security
Heartland is raising the bar in retail payments security by bringing end-to-end encryption to its network. It will be expensive and a big logistical challenge to execute, but the company has little choice other than to take a security leadership role on the heels of its near-catastrophic data breach last year, says Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy and Research. He compares Heartland's situation and action to the Israeli airline El Al's actions to bolster its security processes. "El Al, after it suffered repeated hijackings in the 1970s, went on to become the world's most secure airline. Heartland will need to do the same thing in the acquiring industry to regain the credibility it has lost," Wills notes.
As long as it's accompanied by good policy and process, Heartland's encryption initiative will plug a definite security gap in the payments system. "But just as with PCI compliance or any other security control, this shouldn't be viewed as 'finally providing security,' but rather as an important new security layer in a multidimensional system of layers," Wills says. There will always be a continually shifting set of threats and vulnerabilities: the trick is to track that moving target effectively via a feedback loop of continual risk assessments and security upgrades, he concludes.
As a top 10 payment processor, Heartland can have a substantial influence over payment card processing in the future. The proposal for end-to-end encryption is about the best Heartland can do as a processor, but it's limited by the processor's ability to influence change, says Avivah Litan, Distinguished Analyst, at Gartner Group, a Stamford, CT-based IT research firm. "In other words, for this to be very effective, it should ultimately work like PIN encryption works today - i.e., PINs are encrypted all the way from the merchant to the card issuers," Litan says.
This can happen, Litan notes. It's already being done on a large scale in Spain by the Spanish card processors. In the U.S., there are already some smaller processors who offer this service. It will certainly make the merchants more secure, assuming they don't have to manage the encryption keys; don't store unencrypted card data and don't engage in weak key management practices if they do encrypt stored data, she says.
There are certainly always going to be vulnerabilities at the point where data is encrypted and decrypted, but if the technology is sound (as it generally is with PIN encryption), those points are minimized, Litan explains. "For example, PIN decryption happens in a hardware security module under dual control and lock and key. There are some points where this can be cracked, but that's the rare exception." Litan sees two main challenges-- terminal upgrades at the merchants and robust key management practices.
Aite Group's Adil Moussa, an analyst who covers the payment card industry, also sees that Heartland's proposed plan is what the industry "knows it needs." Moussa says the issue is that end-to-end encryption will require a substantial investment from different industry players. "I think the complexity (technical burden) and the cost of the whole operation is going to make a lot of players resistant," he states.
The industry has to make a stand on security. "Right now, the current infrastructure works relatively well, and the cost of fraud is still lower than the cost of a complete overhaul," Moussa observes. Once the ROI indicates the opposite, "or once other processors go through Heartland's fate, it will be evident that end-to-end encryption is the way to go."
What Are Hurdles For Heartland?
At the industry level, Javelin's Wills sees mostly political barriers, overcoming the "not invented here" syndrome that's commonly exhibited by different industry players in the payments industry, and persuading these players who often have different business agendas to meet in the middle and adopt a common standard. This nearly always happens with cross-industry standards initiative, Wills observes.
The card companies will have to mandate it for that to happen, Wills notes. "That will be an uphill struggle for them, given the ongoing merchant resistance to PCI. A more likely scenario would be other processors rallying around Heartland in the free market, if they see a competitive advantage to it," he says. In the current environment, improving security will only be seen as a positive by the market.
Will Others Follow?
Visa has already publicly stated (at its March Security Summit) that it is looking at end-to-end encryption and will make some decisions around it soon, says Litan. "They indirectly indicated that merchants who participate in end-to-end encryption schemes will likely benefit by having a reduced set of PCI compliance requirements," she notes.