May 07, 2009, 2:16 PM — Heartland Payment Systems Thursday reported that the security breach it disclosed earlier this year has cost the company about US$12.6 million so far, including legal costs and fines from MasterCard and Visa, which directly contributed to a $2.5 million loss for the quarter.
Heartland also detailed plans to protect its credit- and debit-card processing network with an end-to-end encryption system that it will begin rolling out with its merchants in the third quarter.
"We are in a cybercrime arms race," said Bob Carr, Heartland's chair and CEO, in explaining why Heartland intends to deploy the custom-built encryption equipment.
During the company's financial earnings call, Carr and other Heartland executives acknowledged the breach is proving a heavy financial burden and that there's no estimated total cost.
Heartland executives also strongly refuted MasterCard's assertion that Heartland did not respond quickly enough or appropriately to information it was given related to the breach. Without providing more detail, Heartland said it will contest MasterCard's assertions legally.
Heartland processes about 100 million card transactions each month, and it's not yet clear exactly how much fraud was committed when cyber-crooks tapped into Heartland's payment network. Visa and MasterCard, as well as some banks, have indicated fraud can be traced back to the Heartland breach
"Sniffers were put on the network by bad guys," said Carr in an interview this week with Network World, during which he described how cybercriminals were able to capture card information travelling in the clear between merchant point-of-sale devices and the processor's network.
At a meeting this week of the newly-formed Payments Processors Information Sharing Council, attended by about 30 industry participants, Heartland distributed on USB sticks some samples of the malware code it believes was used as part of the breach, in the hope this could help protect other companies.
To protect its own processing network, Heartland will roll out an end-to-end encryption system with its merchants, beginning with a trial project this summer, says Carr. The system will be based on hardware and software that Heartland is spending millions to develop with help from soon-to-be-announced technology partners. Heartland has not yet publicly released the technical specifications.
Heartland "is basically leading the way for the rest of the industry," says Gartner analyst Avivah Litan, noting that its plan for end-to-end encryption will be the first effort of its kind in the U.S.
She adds that end-to-end encryption has already gotten underway in Spain among merchants and their processors. One element critical to its success there, she says, is keeping encryption key management simple for merchants.
But in the U.S. today, there is no established standard for end-to-end encryption of payment-processing networks. Heartland is hoping to rally the industry around one based on the Advanced Encryption Standard (AES) it is proposing to the Accredited Standards Committee X9 (ASC X9) in early June.
Accredited by the American National Standards Institute (ANSI) to work on standards for the financial services industry, ASC X9 is expected to take up work on developing a new standard to protect cardholder data. But that could take years, Carr points out, and in the meantime the cyber-crooks aren't standing still.
Heartland's processing network is used by 175,000 merchant customers at 250,000 locations. There are five basic parts to deploying end-to-end encryption in the processing environment, says Carr, and Heartland expects be able to encrypt through most or even all of those components with cooperation from other parties. Today he expressed optimism that Visa, MasterCard and others might join him in the endeavor.
The effort requires support from Heartland's merchants, who would have to acquire the specialized equipment. Heartland says it won't subsidize the cost, but would sell it close to cost. Today Carr indicated he thinks encryption will be an attractive "differentiator" for merchants.
Carr acknowledges that Heartland's plans to defend its network through encryption and its own ideas about an end-to-end encryption standard may not be fully in sync with current requirements for card security set by the Payment Card Industry Security Standards Council.
This Wakefield, Mass.-based organization for several years has established technical security standards known as the PCI Data Security Standard set, which are often referenced by banks and card associations, such as Visa and MasterCard, as part of annual security reviews of any business handling payment cards.
Bob Russo, general manager at the PCI Security Standards Council, expressed some concern that Heartland may be embarking on an end-to-end encryption system that will be "proprietary" and not used widely by others. But he added the Heartland approach is "novel," and noted that end-to-end encryption as a topic for the industry is being explored this year, among other possibilities that might boost card-payment security.
Litan says Heartland's initiative will be closely watched. Visa in March publicly said -- in a "politically correct way," Litan notes, since Visa has strongly back PCI DSS -- that the PCI security standards alone may not be enough to protect cardholder data. Visa has signaled it is open to some other approaches, such as end-to-end encryption, Litan says.
