This story appears in the March 2009 issue of Cards&Payments.
Perhaps the most disturbing aspect of the data breach Heartland Payment Systems Inc. reported in January was that the U.S.-based merchant processor says it was compliant with industry standards. That hackers breached the processing network and installed software where rules allowed Heartland to store unencrypted cardholder data suggests the industry has more work to do.
In the ongoing cat-and-mouse game, processors face the task of changing how they protect cardholder data even as wily hackers are evolving their methods to get around the protections.
In Heartland's case, a hacker's "sniffer" program made it past the company's antivirus software last year and sat undetected, delivering the card data it collected to the fraudsters, Robert H.B. Baldwin Jr., Heartland president and chief financial officer, tells Cards&Payments. Though Heartland says it first learned of a potential problem with its network on Oct. 28, when the major card brands contacted the processor, the breach apparently began in May.
When Heartland confirmed the security breach in January, it notified MasterCard Worldwide, Visa Inc., American Express Co., Discover Financial Services, the U.S. Secret Service and the U.S. Department of Justice, according to Baldwin. "We moved quickly on this," he says.
MasterCard says only that it is monitoring the investigation into the breach and is notifying issuers as necessary. AmEx said it is monitoring the investigation, too. Discover says it is working with law-enforcement agents investigating the matter, and that the full extent of the breach and number of affected cardholders is not yet known. Visa referred all inquires to Heartland.
All of the transactions, which include an undetermined mix of card-present and card-not-present credit and debit activity, were made in the United States. Hackers did not get merchant data, Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers, Baldwin says.
The breach did not involve Heartland's check-management systems, Canadian payment services, payroll cards, campus products or micropayment operations, the company says. It also did not affect the company's Give Something Back charitable-donation service or its Network Services and Chockstone processing systems.
However, "It is clear that card numbers and expiration dates were taken by the bad guys," and, in some cases, cardholder names, Baldwin says. "We just don't know how many cards at this time."
Neither Heartland nor the payment card networks have said how many transactions may have been compromised, but the processor says it annually processes 4 billion transactions. Heartland also has notified about 150,000 merchant locations it serves of the breach (see story).
Heartland executives say the processor is working to update its network to keep cardholder data encrypted at all times. They contend the payments industry should adopt standards that require all sensitive cardholder data to be encrypted along the entire transaction process.
The Payment Card Industry data-security standards are "good and effective," Robert O. Carr, Heartland chairman and CEO, said in a statement. But "the bad guys have become more sophisticated to the point where encryption of data in motion appears to be one of the next required steps," he added.
And members of the payments industry must communicate more with each other to counter fraud efforts, according to Carr. "Up to this point, there has been no information-sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again," he said.
Had Heartland known details about previous intrusions at other companies, it might have "found and prevented the problem," Carr said.
Shortly after announcing the breach, Heartland hired Steven M. Elefant, a member of the U.S. Secret Service Electronic Crimes Task Force, as executive director of a department in charge of developing encryption measures. He will oversee Heartland's work to encrypt sensitive payment data throughout the entire transaction process.
Currently, payment data may enter the transaction loop connecting the merchant to the processor encrypted, but the information eventually must be decrypted, making it vulnerable.
Other processors are not eager to discuss any changes to their own operations, at least not publicly, in response to the Heartland breach.
"The security breaches encountered are disturbing for all of us in the industry," a spokesperson for U.S.-based processor Total System Services Inc., or TSYS, said in a statement to Cards&Payments. "When one occurs, it has detrimental effects on all participants in the payments chain. At TSYS, security of our systems and our clients' data is our number-one priority. We strive to adhere to the highest security standards and practices possible and drill 'think security' into the minds of each of our team members every day."
He declined to comment further.
U.S.-based First Data Corp. also declined an interview on the topic, but a spokesperson said in a statement the processor takes data security very seriously.
"We constantly monitor our systems, and we work aggressively to stay compliant with all industry standards. We have multiple tools at our disposal and multiple tools we offer our customers to help prevent fraud," the spokesperson said.
And First Data also applies what it learns from "previous and current industry issues to further secure our systems," the spokesperson added.
Fraudsters are zeroing in on "data in transit"because payments industry data-security efforts increasingly push merchants away from storing data, reducing the possibility thieves will seek stored data from them, according to Trustwave, a Chicago-based payment-security company that investigates possible and confirmed breaches at retailers, processors and other entities that handle payment card data.
As more merchants adopt industry security protocols, processors appear to be emerging as fraud targets at a "wholesale level," says David Fish, senior research analyst at Mercator Advisory Group LLC, a Maynard, Mass.-based consulting firm.
"We will see more of it," he says. "The organized criminal community focusing on card fraud has gotten wise to the fact there is a lot of data within acquirers' walls that they can find a use for," he says.
Avivah Litan, vice president and research director at research company Gartner Inc., praises Heartland's attempts to work with other companies to promote end-to-end encryption.
Heartland "can't manage the whole industry, but they are setting a standard, and it would be nice if the rest of the banking industry followed because then it really would be end to end," Litan says. "You're only going to solve this with stronger security measures."
Heartland's efforts are "definitely going to bring credibility" to the idea of introducing more encryption in the payment system," Litan says. "There are some retailers that may switch to Heartland because of this, so it may become a competitive edge," she says.
Indeed, Heartland claims it has signed more than 400 new processing customers since it disclosed the breach, including merchants and payroll and check-management clients.
As Heartland works toward keeping data encrypted the entire time it resides on its network, the processor already has updated its network to enable "much more" analysis of potential transaction-security issues as they occur, Baldwin says.
Though he did not specify details, a Heartland statement says the move should help law-enforcement agencies "expeditiously apprehend cyber criminals."
Not surprisingly, consumer class-action complaints followed closely behind the breach announcement: two filed in New Jersey and one in Florida. All allege Heartland violated the Fair Credit Reporting Act and a variety of other states' data-breach notification and consumer-protection laws.
A Heartland representative said the company would not comment on the suits.
Heartland could dampen negligence claims if it was compliant with the Payment Card Industry Data Security Standard when the breach occurred, unlike scores of merchants that were not compliant when hackers breached their card data, according to Ronald Mann, a professor of law and co-chair of the Charles E. Gerber Transactional Studies Program at Columbia Law School in the United States.
And plaintiffs could have a difficult time proving the breach harmed them, given that, besides some cardholder names, the only breached information appears to be data on cards, Mann adds. Clearing fraudulent transactions from a card account is a hassle, but issuer policies are to cancel or reimburse cardholders for fraudulent transactions when they occur.
"The bigger problem the plaintiffs face in these cases is getting them certified as classes," Mann says. "In previous litigation in this area, class-action suits against the hacked merchant have suffered from the problem that the likelihood of identity theft or of substantial harm depends a great deal on the particular circumstances of the victims and of their card issuers."
Whether the plaintiffs prevail, Baldwin says Heartland is "heartsick" about the breach. "This will redouble that focus to make us a much better company going forward," he says, adding it is too soon to know the financial impact of the breach.
The breach's impact on the payments industry surely will be widespread reviews of current industry security practices and changes to adapt to new types of attacks. CP
Daniel Wolfe of American Banker contributed to this article.