Heartland CEO on Breach Response
'Anyone That Thinks They're Not Going to be Breached is Naive'
A great deal has changed since 2009, when Heartland's breach, which affected 130 million debit and credit accounts, was revealed. But Carr says open communications, especially for publicly traded companies, pays dividends in the long run.
"I would not advise a one-size-fits-all solution," he says. "Over the past three years, we've overcome it, mainly because we took responsibility for it; we weren't trying to blame anybody else."
Payments processors also have to remember that it's not losses linked to fraud that results from a breach that have an impact on consumers, card issuers and an entity's corporate image. The reissuance of affected cards and the time card-issuing institutions have to devote to risk mitigation and consumer response also must be considered.
"There is damage done when there is a breach, and it shouldn't be minimized," Carr says. "People who are breached should share the information about their breach privately with other payment processors."
Through organizations such as the Payments Processing Information Sharing Council, which Heartland founded, payments processors can more freely share information about fraud trends they're seeing.
"Payments processors should, for the betterment of our industry, share what happened," Carr says. "The bad guys might be in somebody else's system. While they are breaching one company, they might be breaching three other companies. Wouldn't it be good for those other three companies to know what has happened from a victim who already knows?"
Global and Heartland have a few similarities. They both rank among the nation's top 10 processors, and both were removed from Visa's list of PCI-compliant vendors shortly after their breaches went public. (See A Tale of Two Breaches.)
"To be PCI compliant does not mean you can't be breached," Carr says. "Any of us that processes PII (personally identifiable information) should be humble. ... Anyone that thinks they're not going to be breached is being naive."
During this interview, Carr discusses:
- The ins and outs of a payments breach;
- Why PCI compliance should not be considered a silver bullet for fraud protection;
- How long it could be before the industry learns more about exactly what happened at Global.
Carr co-founded Heartland Payment Systems with Heartland Bank in 1997, quickly building the foundation for an end-to-end credit, debit and prepaid card processing engine. Today, Heartland ranks as one of the 10 largest processors in the world. Carr spearheaded The Merchant Bill of Rights - a public advocacy initiative to promote fair card processing practices on behalf of all business owners. He also has been at the helm of an industry collaboration movement to thwart cybercriminals - and help protect business owners, consumers, processors and financial institutions. He was active in the formation of the Payments Processor Information Sharing Council and served as chair of its steering committee. He also serves as associate member director on the board of the Secure POS Vendor Alliance.
TRACY KITTEN: Bob, a great deal has changed in the payments security and fraud-detection space since 2009, when Heartland learned it had suffered a cyber attack that exposed card details on one hundred and thirty million debit and credit accounts. The Heartland breach was a catalyst for change, though painful, what lessons did the industry learn from the breach your company suffered?
BOB CARR: Well, I think the industry learned from our breach that large payments processors who feel like they have been PCI compliant can get penetrated, and that the value of the data needs to be minimized; the eventuality of a breach is likely, as evidenced by the events of the past three years. I would like to say that we've never challenges the 130 million number, but that number was a speculative number, and it very much overstates the exposed card numbers from our breach. And, also, I'd like to state that most of the breaches that happen in our world are never reported. So, the problem is endemic. It is very serious. The bad guys spend lots and lots of money to coordinate themselves, and breaches are going to happen. What needs to happen is that companies that have card numbers and PII (personally identifiable information) in their system need to encrypt it or tokenize it so that it is not available and of any value to the bad guys.
KITTEN: Now, I'd like to go back and talk a little bit about this Global Payments breach, and I understand that you can't talk about Global Payments specifically. Of course, this breach is still under investigation, but a great deal has been said about PCI compliance and Visa's removal of Global Payments from its PCI-compliant list. Heartland also was removed from Visa's list after its breach. What does non-compliance really mean, i.e., are there fines or penalties involved?
CARR: Well, first of all, I would like to say that Global Payments was, during our breach, very supportive of us and we're supportive of Global. We feel very badly for the situation that they are in. To specifically comment, I would say that you are compliant until you're not. It is a temporary-point-in-time analysis that is done by a human being or a set of human beings that aren't perfect; and so to be deemed to be PCI compliant should not give anybody a lot of comfort. It means that you passed the test and the test may or may not have been conducted by someone who is competent. And even if they are competent, the bad guys are very, very good.
They are very, very smart, and I think that anyone who processes PII data should be humble and thank their lucky stars that they weren't Heartland or Global. Again, I think the solution there is no perfect solution; but anyone that thinks they are not going to get breached is being naïve. We are going to all have to be prepared to deal with a breach, and, again, the best way to deal with a breach is to not have any data in the clear that is of any value to the bad guys.
KITTEN: So when a company is found to be non-compliant, do they have to pay fines and penalties?
CARR: The short answer to that is, "Yes." They will pay fines and penalties.
KITTEN: And so going back to talk about Heartland's breach, in the wake of that breach, Heartland focused a great deal of its attention on communications with the public and even the government. Today, Heartland is viewed much differently than it was in the days and weeks that immediately followed its breach. What can you share with us, Bob, about the role communications played?
CARR: Well, I think every situation is different. We are a publicly traded company, and the announcement of our breach was a material event, so we were governed by the rules of the Securities and Exchange Commission. We had a material event happen to us, which could clearly destroy the value, much of the value, of our company. That put everyone at risk. There was the risk of an insider putting out information; the risk of people selling their shares. Martha Stewart had just gone to jail, so this is a very sensitive topic in 2009 when we were dealing with it, and that was a lot of the motivation for the way we dealt with the breach.
A non-public company or a company where this would be a non-material event has different circumstances. I certainly wouldn't try to advise a one-size-fits-all solution here. But, at Heartland, our job was to protect our customers, our stockholders, our employees, and we felt like, because of the fact that we are a pure-play processor and as a publicly traded company, that we needed to communicate with all the stakeholders and tell them as much as we knew about the potential impact that it might have, and tell them that we're going to do our best to overcome it. I think over the past three years we've been successful in overcoming it, partially because we weren't trying to blame somebody else and we were telling the truth about what happened.
KITTEN: Now, what about the card-issuing institutions that were effected? How should they respond to cardholders, when their reputations are on the line as well?
CARR: The card issuers are governed by different laws and regulations and they should and do notify their cardholders that may have been compromised. They need to refund any fraudulent charges that were inferred by their cardholders, and they do that. So, I think the card-issuing community is very familiar with breaches, very familiar with how to notify their customers, the cardholders, and I think they do a pretty good job of that. I don't see that particular issue as being a problem these days. There are 40 some states that have regulations about notifying cardholders, and since the issuer of the card is the only party in the chain that has the address and information about how to contact a cardholder, their obligation is to notify the cardholder, and, as I said, it seems to me that is what is happening in this day in age.
KITTEN: Bob, before close, I wanted to ask, how can companies also protect their brand images and reputations like Heartland successfully did?
CARR: I think the most important thing is not to try to minimize the impact of a breach. While cardholders do get their money back, they still have the trouble and have to go through the time and aggravation of notifying various billpay situations of the change in their card numbers. Sometimes with debit cards, money is drawn out of their checking account and it is not easy to get it back. So, there is a lot of inconvenience caused to the consumer community and there are losses that issuers do take.
It's not just the fraudulent losses, but the re-issuing of cards and the time and effort of the issuer to deal with the breach. So there is damage done when there is a breach and it shouldn't be minimized, in my view. I think what should happen is that people who are breached should share the information about their breach privately with other payments processors. We helped form the organization Payments Processing Information Sharing Council. Payments processors should, for the betterment of our industry, share what happened. The bad guys might be in somebody else's system.
While they are breaching one company, they might be breaching three other companies. Wouldn't it be good for those other three companies to know what has happened from a victim who already knows? And, also, I think just being outspoken with your employees and your customers to just say, "Look, these things happen and we've done everything we know how to mitigate the risk of this ever happening again," and pointing out that there are thousands and thousands of breaches every year in this country and just not very many of them get press. I think, tell the truth about every part of it and don't minimize the impact of it to consumers and issuers. That would be my advice.