Heartland Payment Systems chief executive Robert Carr remembers what it felt like when he first heard about the massive data breach at his company earlier this year.
“I wanted to throw up. It was devastating,” says Carr, recalling how he felt upon realizing that one of his worst fears had come true. “People had asked me for years ‘what keeps you awake at night’ and I would keep telling them it was the fear of a data breach,” he told Computerworld.
Five months after Heartland announced what some think may be the biggest data breach ever, Carr is working over-time to limit the fallout from the incident, and the damage to the company’s reputation. The sheer magnitude of the Heartland Payment data breach prompted Jennifer Stoddart, Privacy Commissioner of Canada to call the incident “shocking”.
Since the incident was disclosed, Heartland has accelerated an end-to-end encryption program for protecting card data that it aims to complete in the third-quarter. The company is simultaneously pushing a broader effort to develop an industry-wide standard for encrypting data white it’s being transmitted over networks.
The company has also co-founded a group called the Payment Processor Information Sharing Council to give organizations in the payments industry a forum for sharing information about security threats, vulnerabilities and fraud. At the group’s first meeting in May, Heartland handed out a USB drive containing the malicious code that it had discovered on its networks as a sign of its willingness to share details of the attack with others in the industry. Carr has also been reaching out personally to customers, industry groups, security analysts and media to explain what the company has been doing in response to the breach. When rival firms tried to scare Heartland customers over the possible repercussions of using Heartland as a processor, Carr quickly fired out cease and desist letters.
The efforts have been noticed. Though Heartland still faces a flurry of lawsuits, and potentially big fines from card companies, customer attrition has been minimal, and so too has the damage to the company’s reputation within the industry. Now, some analysts are beginning to give the company high marks for trying. Gartner analyst Avivah Litan said Carr’s responses have been very different from those adopted by most CEO’s in similar situations. “Generally when something like this happens, the CEOs hide,” Litan said. In this case, Carr has been out in the forefront of his company’s response to the crisis and has appeared willing to spend what it takes to restore a sense of confidence in the company.
“Some might question his real motives. But bottom line [is that] he is doing some good work. He is elevating the debate around card security and even got the card companies to speak about end-to-end encryption,” Littan said.
Tom Wills, a senior analyst at Javelin Strategy & Research, recently compared Carr’s response to the crisis with that adopted by Israeli airline El Al in the wake of a series of hijackings in the 1970s. “El Al redesigned its security from the ground up and went on to build a reputation, one that it holds to this day, as the world’s most secure airline,” Wills wrote in an alert released earlier this month.
He said that based on Carr’s moves so far, “it’s clear that Heartland intends to take the El Al route.”
Princeton, N.J.-based Heartland is one of the largest payment-processing companies in the country, with about 250,000 customers. It announced on Jan. 20 that intruders had broken into its systems several months earlier and potentially compromised data on an undisclosed number of individuals.
The breach is thought to be the biggest ever involving payment card data with some analysts saying that over 100 million cards may well have been exposed in the intrusion. Heartland’s breach disclosure came just weeks after another major payment processor, RBS WorldPay announced a data breach involving 1.5 million payment cards.
According to Carr, Heartland’s responses to the incident have been driven simply by the need to protect itself from future compromises and the need for broader collaboration in dealing with increasingly sophisticated attackers. “The attacks on Heartland and RBS WorldPay were incredibly sophisticated,” he said.
In Heartland’s case, the attacks happened even though the company had had been certified six times previously as being fully compliant with the requirements of the Payment Card Industry (PCI) Data Security Standard mandated by the major credit card companies.
What the incident highlighted was both the technical acumen of the attackers and the dangers in assuming that compliance alone is enough to keep a company safe, Carr said. “Just because you have a certificate of compliance doesn’t mean that you can’t get breached. If a processor thinks they are bullet proof on these kinds of problems they shouldn’t feel that way,” Carr said.
“I think everyone would agree the PCI standard is necessary, but it is also the lowest common denominator and the bad guys have figured out how to get around some of the weaknesses,” he said.
In the future, credit card companies need to consider using technologies such as Chip and PIN, tokenization and end-to-end encryption to build on the baseline security offered by PCI, Carr said. In Heartland’s case the company’s has decided to go with the encryption option because it currently offers the quickest and safest way to secure card data in a manner that goes beyond that prescribed by PCI he said.
At the same time, Heartland will back and support an effort by the Accredited Standards Committee X9 to develop an industry-wide standard for end to end encryption he said. “We are going to do everything we can to be compliant and to utilize that standard when it becomes available,” Carr said. But rather than wait for the standard to be developed, Heartland will go ahead and implement its own end-to-end encryption scheme in the meantime, he said.