Heartland Tests End-to-End Encryption; Gets Good Reviews
Analysts: Industry Standard is Real Key to Thwarting Threats In the first step of its move toward end-to-end encryption, Heartland Payment Systems (HPY) last week completed the first phase of its pilot project.Heartland, the sixth biggest payments processor, earlier this year announced that it was hit with a data breach, wherein credit card numbers and debit card information were taken by hackers who broke into the payment processor's internal network. Since the breach was announced, the company has been working toward introducing advanced encryption standard (AES)-encrypted card transactions from merchants to Heartland's processing platform.
The merchant that took part in the pilot last Monday was a small carwash operation in Plano, TX, near Heartland's operation center. AES is the highest level of encryption and is currently on track to replace Data Encryption Standard (DES) and Triple DES as the desired standard for sensitive data. The pilot transactions included multiple credit cards, prepaid and signature debit card transactions that tested each of the major card brands, says Robert Carr, Heartland's chairman and chief executive officer.
Heartland's Solution
Heartland's new tamper-resistant security module terminal is meant to stop hackers from sniffing data beginning at the point of sale until it reaches the end point at the payment processor. Typically, cardholder data is unencrypted as leaves a merchant's terminal and isn't encrypted until it is either tokenized in a gateway or at rest in the processing platform's data warehouse.
The pilot tested four of five payment zones, the fifth being contingent upon the card brands or card issuer, when the data is sent from the processor to the authorization and settlement centers of the card brand or issuer.
The company says it continues to work with the ANSE ASC X9 Committee to develop an end-to-end encryption standard and follow that standard as much as practical. "We are also working with established US equipment and software manufacturers to implement their TRSM devices into our E3 approach as soon as possible," Carr says. "We believe the marketplace will accept this higher level of payments security, and [we] are willing to share our knowledge and learnings with all industry stakeholders via the Payment Processors Information Sharing Council, FS-ISAC and Secure POS Vendor Alliance organizations."
Will it Work?
Heartland's efforts to implement an end-to-end encryption model are lauded by security experts - but are they enough?
"End-to-end will make it 'more secure,' but nothing is ever 100 percent secure," says David Taylor, Founder, PCI Knowledge Base. "But to encrypt the link to acquirers -- payment processors need them to change their systems and processes. PCI has not mandated that change, and that's the purpose of the proposed X9 standard."
If the data is encrypted only on the system that processes the transaction, that's okay, says Taylor. "It's the 'encrypt, decrypt, re-encrypt' cycle as the data passes through intermediate systems with incompatible encryption ciphers and key management systems that is causing the problem," he explains. This is why a standard is needed to make this work. In the absence of one, encrypted processing can be more of "customer lock-in" feature for the payment processors, as it makes it that much harder to switch processors and/or acquiring banks, Taylor notes, which would mean additional technical and procedural investment and equipment.
The drawback, Taylor sees, is other processors will be much more likely to offer their own versions of "end-to-end encryption" long before there is a standard. "The more versions exist, the harder it will be to get merchants, processors, acquirers to adopt a standard."
Heartland's merchants who adopt the new encryption model will have the "peace of mind" of being well protected since they are usually the ones that end up eating up losses in chargebacks, says Adil Moussa, financial services analyst at Aite Group. "It is time everybody unites and looks at the long term instead of looking at the immediate expenses. I don't like paying a high insurance, but I'm glad to have it when I see the total bill would have cost me after an accident," he notes. Moussa says while the complexity and technical burden and cost may make a lot of players resistant, the industry has to make a stand on security.
Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy & Research, says Heartland is raising the bar in retail payments security by bringing end-to-end encryption to its network. "It will be expensive and a big logistical challenge to execute, but the company has little choice other than to take a security leadership role on the heels of its near-catastrophic data breach last year," he says.
Wills compares Heartland to El Al, the Israeli airline: After it suffered repeated hijackings in the 1970s, it went on to become the world's most secure airline. Wills says Heartland is doing the same thing in the acquiring industry to regain the credibility it has lost. As long as it accompanies that with good policy and process, he sees Heartland as being able to plug a definite security gap in the payments system.