View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Analysis
July 31, 2009updated 04 Apr 2017 4:17pm

Heartland raises payments security bar

Like Johnson & Johnsons now-famous tamper-proof lid developed after the 1980s Tylenol poisoning which helped restore confidence in the Tylenol brand, Heartland is hoping its end-to-end encryption product will similarly inspire confidence in its security systems.The task seems daunting, but Heartland already is gaining adherents as it prepares to launch in the fourth quarter its own security module complete with its own line of POS terminals for both credit and debit transactions.Jason Maloni, a spokesperson for Heartland, told EPI that CEO Robert Karr is taking lemons, and making lemonade.What happened to us was a travesty, but we are using that travesty to build a better solution for our clients, one that will ensure that nothing like last years data breach ever happens again, Maloni said.This is a massive undertaking, and one that revolves around end-to-end encryption as the beginning and ending point.Heartland is investing heavily in its end-to-end encryption (E3), based on the guiding principle that the problem with security is all about the money: remove the economic incentive for a breach, and there will be fewer of them and, when they do occur, the damage is far easier to contain.Maloni said that Heartland recently completed the first phase of its end-to-end encryption pilot project, handling more than 1,000 transactions from seven pilot retailers in Indiana and Texas, and added that the E3 network will be ready for live launch in the fourth quarter.The first step involved the transmission of live Advanced Encryption Standard (AES) encrypted card transactions from a merchant to Heartlands processing platform

By Charles Davis

Hit by a massive data breach last year, Heartland Payment Systems has turned a near-disaster into an opportunity to set new standards of security in the processing industry. The US payments processor provided Charles Davis with insight into its solution, based on seamless POS-to-processor encryption. Given up by many for dead after last year’s massive data breach, Heartland Payment Systems instead has used the tragedy as inspiration for a top-to-bottom remake of the company’s security systems, and now is ready to unveil an entire new line of business.

Heartland’s response is an end-to-end encryption architecture and processing methodology designed to solve both the root problem of hacking attacks and restore the company’s reputation. Like Johnson & Johnson’s now-famous tamper-proof lid developed after the 1980s Tylenol poisoning which helped restore confidence in the Tylenol brand, Heartland is hoping its end-to-end encryption product will similarly inspire confidence in its security systems.

The task seems daunting, but Heartland already is gaining adherents as it prepares to launch in the fourth quarter its own security module complete with its own line of POS terminals for both credit and debit transactions.

Jason Maloni, a spokesperson for Heartland, told EPI that CEO Robert Karr is “taking lemons, and making lemonade”.

“What happened to us was a travesty, but we are using that travesty to build a better solution for our clients, one that will ensure that nothing like [last year’s data breach] ever happens again,” Maloni said.

“This is a massive undertaking, and one that revolves around end-to-end encryption as the beginning and ending point.”

Heartland is investing heavily in its end-to-end encryption (E3), based on the guiding principle that the problem with security is all about the money: remove the economic incentive for a breach, and there will be fewer of them and, when they do occur, the damage is far easier to contain.

Maloni said that Heartland recently completed the first phase of its end-to-end encryption pilot project, handling more than 1,000 transactions from seven pilot retailers in Indiana and Texas, and added that the E3 network will be ready for live launch in the fourth quarter.

The first step involved the transmission of live Advanced Encryption Standard (AES) encrypted card transactions from a merchant to Heartland’s processing platform. AES is the highest level of encryption and is currently on track to replace the Data Encryption Standard and Triple DES as the desired standard for sensitive data.

According to Heartland, this is the first time encrypted transactions have been sent from a merchant’s card reader to and through a major processor’s payments network.

“The cards were read by our newly developed pilot tamper-resistant security module terminal,” Maloni said. “The data was encrypted as the electronic digits left the magnetic stripe and entered the hardware device. The data was then successfully transmitted to and through our processing platform for authorisation and settlement.”

‘Best solution available’

Typically, cardholder data is unencrypted as it leaves a merchant’s terminal and is not encrypted until it is either tokenised in a gateway or at rest in the processing platform’s data warehouse. This means cardholder data in transit is at risk of being compromised should it get in the hands of cyber criminals or hackers via such methods as network or memory sniffer malware.

To protect data throughout the lifecycle of a credit, debit or prepaid card transaction, Heartland is developing end-to-end encryption technology designed to encrypt the transaction from the card read through our network and ultimately through transmission to the card brands.

“This is the best security solution available for payment transactions,” Maloni said. “It is a huge move forward for us as a company. Our total attention turned to reconfiguring the network so this can never happen again.”

For Heartland, E3 protection involves five payment zones. Zone 1 covers transactions from data entry/card read at the merchant to the authorisation network of the processor, then on to Zone 2, which covers transactions from entry into the authorisation network of the processor through all points in which data is in motion within the network(s) of the processor and its sub-contractors.

Zone 3 covers transactions while the data resides in a central processing unit or a host security module, and Zone 4, in a direct access storage device or archival storage. Finally, Zone 5, from the processor to the authorisation and settlement centers of the card brand or issuer.

Whenever a transaction transits from one zone to another, it must pass through a Host Security Module or tamper-resistant security modules for a decrypt and re-encrypt cycle much the way pin debit has been done in what Visa calls “security zones”.

Once the transaction leaves Zone 4, Heartland will have to decrypt the card data and send it in the clear into card brands’ authorisation and settlement systems using secure direct connections. This is the final loose end in the end-to-end encryption story.

A major question for encryption in general is the passage of encrypted data into the card brands and the willingness of the card associations to accept it. Heartland reports productive discussions with major card brands and has received a commitment from one major card brand to take encrypted data into Zone 5 and the issuing domain.

Anchoring Heartland’s merchant-side solution is its new line of terminals, or tamper resistant security modules, which turns card data into enciphered bits.

Heartland is applying this approach to all card transactions, not just PIN debit. It has also upped the security ante by using AES rather than 3DES as the encryption algorithm. Heartland also is working with established US equipment and software manufacturers to implement their TRSM devices into the company’s E3 approach.

Maloni said Heartland also has been instrumental in the formation of the Payment Processors Information Sharing Council – a group of competitors in the payments industry exchanging information about breaches, hackers and other potential security problems.

At the group’s original face-to-face meeting, CEO Karr handed a memory stick with the code found on Heartland’s systems during the data breach to the 36 competitors there, Maloni said.

“That set the tone,” Maloni said. “We are deadly serious about this never happening again.”

NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. A weekly roundup of the latest news and analysis, sent every Wednesday.
I consent to GlobalData UK Limited collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU

Thank you for subscribing to Electronic Payments International