Global Payments Inc.'s recent data breach is causing many in the payments industry participants, including hundreds of small U.S. processors, to recheck their security, one security expert contends.
Size creates no barrier to hacker attacks, Steve Elefant learned as chief technology officer at Heartland Payment Systems Inc. during its massive 2008 breach.
Big targets draw the most interest from hackers, but as more organizations shore up their security defenses, smaller processors may find themselves at greater risk for similar attacks, Elefant, now a consultant with Strawhecker Group, tells ISO&Agent Weekly.
"When the focus is on large processors' breaches, there is a sense that smaller processors have less to worry about, but the opposite is true," Elefant says. "Smaller processors may have fewer defenses but they cannot afford to be complacent now about their security."
As large as Global Payments' breach was, possibly exposing card account data of some 1.5 million consumers, it was "only a fraction" of Heartland's breach, which involved 100 million exposed accounts, Elefant notes.
Among the lessons Elefant learned during his term as the top information-technology exec at Heartland from November 2008 to September 2011 is that no one has come up with an invincible bulwark against hackers, but widespread advanced data-encryption and rigorous Payment Card Industry Data Security Standard compliance goes a long way toward preventing break-ins.
"What we are seeing is the reality that there is no such thing as safe software, and there never will be," Elefant says. "But encryption and tokenization are very effective at preventing breaches and securing data, if it is used properly."
Following its breach, Heartland developed proprietary advanced data-encryption technology it markets to other users, prompting competing processors to offer similarly advanced security services to merchants.
But encryption still "is not used widely enough" by payments industry players, Elefant says.
While the public knows few specifics about Global Payments' breach, Elefant says encryption at every step of the process would have closed the security gaps that must have existed.
It is "disappointing" that despite four years of industry experience following Heartland's breach another major processor experienced such widespread data-exposure, Elefant says.
"I'm not surprised. ... But I am disappointed that a major processor can still be attacked this way," he says.
And that complying with PCI provides no guarantee against data breaches is sobering, he notes.
"PCI compliance has done a lot of good in getting people to think more about security, but the fallacy of PCI is that it will make you more secure against breaches," Elefant says. "PCI compliance is one thing, but you have to be vigilant on many other levels to prevent breaches."
Sadly, Global Payments' data breach will not likely be the last, Elefant warns.
"Hackers are still succeeding, and small processors need to be on alert more than ever before," he says.