As if the card industry did not have
enough to contend with, a major data breach at one of the biggest
payment processors in the US has called into question the strength
of existing anti-fraud safeguards, which were toughened up
following the infamous TJX breach of 2006. Victoria Conroy
reports.

Millions of cardholders in the US could
have had their card data compromised after a gigantic security
breach hit payment processor Heartland Payment Systems, which
serves more than 250,000 businesses across the US, and processes
more than 4 billion transactions annually.

It could yet prove to be the biggest
incident of fraud affecting cardholder security, due to the fact
processors such as Heartland handle transactions from a variety of
bank issuers, acquirers and merchants. The largest previous
incidence of fraud in the US occurred in 2006 at a single retailer,
TJX, when around 45 million Visa and MasterCard accounts were
estimated to have been put at risk due to a security breach in the
retailer’s systems.

The Heartland breach was announced in
mid-January after payment networks Visa and MasterCard flagged up
suspicious activity on card transactions, believed to have occurred
around late 2008. An investigation by forensic auditors then
discovered malicious spying software, known as malware, had managed
to infiltrate Heartland’s processing system and capture data as it
was processed, potentially putting millions of cardholders at
risk.

Magnetic stripe data
exposed

According to Heartland, the sixth-largest
payment processor in the US, data which is typically stored on the
magnetic stripe of the card – credit card numbers and expiration
dates – has been exposed, but no merchant data or cardholder social
security numbers, unencrypted PINs, addresses or telephone numbers
were involved in the breach.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Heartland has not yet revealed how many
cardholders are at risk or how long the malware was in its computer
system, but says it has now plugged the security hole that allowed
its systems to be compromised. US federal law enforcement officials
and potentially affected card companies have now been informed and
a website has been set up for cardholders who are worried their
details may have been exposed.

Cardholders are also being advised to
monitor their monthly statements and to report any suspicious
activity to their card issuers.

Heartland said it would also roll out a
programme to flag network anomalies in real-time in an effort to
assist law enforcement officials to apprehend the fraudsters behind
the malware attack. It also said it had informed more than 150,000
merchants since the breach was first reported on 20 January to
inform them of any potential ramifications, and was working with
other payment players about collaborating to fight instances of
cyber fraud.

“Up to this point, there has been no
information sharing, thus empowering cyber criminals to use the
same or slightly modified techniques over and over again” said
Heartland CEO Robert Carr. “I believe that had we known the details
about previous intrusions, we might have found and prevented the
problem.”

Counting the cost of
compliance?

But the company will still likely have to
pay huge financial penalties to affected banks to reimburse the
cost of replacing and issuing new cards to customers, should they
become victims of subsequent fraud.

Affected merchants are also likely to
pursue Heartland for the costs they will saddle, as consumers
typically are not liable for fraudulent charges on their card
accounts. According to Heartland, the average merchant customer has
around $350,000 in Visa and MasterCard transactions.

In 2005 another payment processor,
CardSystems Solutions, went out of business, following a data
breach that put at risk around 40 million credit card accounts. In
December 2008, almost two years after TJX’s breach, TJX was forced
to pay settlements to a range of banks and networks totalling $41
million as compensation.

The Heartland breach has drawn attention
to the current state of merchant compliance with the Payment Card
Industry Data Security Standards, a set of requirements detailing
the storage of cardholder data created by Visa and MasterCard that
merchants are obliged to comply with. The Heartland breach is all
the more worrying because it was PCI-compliant, and that has left
industry expects asking whether those standards are enough to fend
off increasingly sophisticated fraud attacks.

According to a recent study from the
Identity Theft Resource Center (ITRC), reported data breaches in
the US during 2008 rose by 47 percent compared to 2007. Some 656
data breaches occurred last year, of which 78 affected financial
institutions. Financial services accounted for the fewest number of
breaches – 78, or 11.9 percent of the total.

“The financial, banking and credit
industries have remained the most proactive groups in terms of data
protection,” the ITRC said in its study.

However, in terms of potential or
unreported breaches, the ITRC said around 35.7 million records
could have been compromised, and the true figure is likely to be
far higher because around 42 percent of cases went unreported or
undisclosed. According to the ITRC, financial services accounted
for over 18.1 million compromised records, representing 52.5
percent of the 35.7 million figure. Most of the financial sector
breaches were the result of hacking, followed by insider theft.

Major incidents of card data breaches