Heartland CEO on Breach Response
'Anyone That Thinks They're Not Going to be Breached is Naive'
A great deal has changed since 2009, when Heartland's breach, which affected 130 million debit and credit accounts, was revealed. But Carr says open communications, especially for publicly traded companies, pays dividends in the long run.
"I would not advise a one-size-fits-all solution," he says. "Over the past three years, we've overcome it, mainly because we took responsibility for it; we weren't trying to blame anybody else."
Payments processors also have to remember that it's not losses linked to fraud that results from a breach that have an impact on consumers, card issuers and an entity's corporate image. The reissuance of affected cards and the time card-issuing institutions have to devote to risk mitigation and consumer response also must be considered.
"There is damage done when there is a breach, and it shouldn't be minimized," Carr says. "People who are breached should share the information about their breach privately with other payment processors."
Through organizations such as the Payments Processing Information Sharing Council, which Heartland founded, payments processors can more freely share information about fraud trends they're seeing.
"Payments processors should, for the betterment of our industry, share what happened," Carr says. "The bad guys might be in somebody else's system. While they are breaching one company, they might be breaching three other companies. Wouldn't it be good for those other three companies to know what has happened from a victim who already knows?"
Global and Heartland have a few similarities. They both rank among the nation's top 10 processors, and both were removed from Visa's list of PCI-compliant vendors shortly after their breaches went public. (See A Tale of Two Breaches.)
"To be PCI compliant does not mean you can't be breached," Carr says. "Any of us that processes PII (personally identifiable information) should be humble. ... Anyone that thinks they're not going to be breached is being naive."
During this interview, Carr discusses:
- The ins and outs of a payments breach;
- Why PCI compliance should not be considered a silver bullet for fraud protection;
- How long it could be before the industry learns more about exactly what happened at Global.
Carr co-founded Heartland Payment Systems with Heartland Bank in 1997, quickly building the foundation for an end-to-end credit, debit and prepaid card processing engine. Today, Heartland ranks as one of the 10 largest processors in the world. Carr spearheaded The Merchant Bill of Rights - a public advocacy initiative to promote fair card processing practices on behalf of all business owners. He also has been at the helm of an industry collaboration movement to thwart cybercriminals - and help protect business owners, consumers, processors and financial institutions. He was active in the formation of the Payments Processor Information Sharing Council and served as chair of its steering committee. He also serves as associate member director on the board of the Secure POS Vendor Alliance.
TRACY KITTEN: Bob, a great deal has changed in the payments security and fraud-detection space since 2009, when Heartland learned it had suffered a cyber attack that exposed card details on one hundred and thirty million debit and credit accounts. The Heartland breach was a catalyst for change, though painful, what lessons did the industry learn from the breach your company suffered?