Payment Compliance Does not Always Equal Security
Payment data breaches still make big headlines. I have lost count of how many times in the last two years I have had to change my credit card because it was marked as being compromised. Why does that keep happening? The answer is how much your payment processor believes that compliance equals data security.
Does Compliance equal Security?
There are a number of regulations that payment processing companies must comply with on an ongoing basis, such as PCI DSS (Payment Card Industry Data Security Standard) and EMV, to the emerging regulation of GDPR (General Data Protection Regulation). But at the end of the day, regulations and audit compliance are just a start, and might not offer full data protection. Just ask any company that has experienced a data security breach. Almost all of them were compliant with the current standards until they were breached. Heartland Payment Systems is one such example. In 2008, Heartland suffered, at the time, one of the largest breaches in the world.
Founded in 1997, Heartland Payment Systems is a Fortune 1000 U.S.-based payment processing and technology provider, serving small and medium merchants and large enterprises. The company recently merged with Global Payments Systems, a leading worldwide provider of payment technology services that allow its customers to accept all payment types across a variety of distribution channels in many markets around the world. Bob Carr was the then-CEO of heartland when he received the call at the end of 2008 detailing the worst thing a payments company can hear – news of data breach.
Why was data left unprotected?
Security experts estimated that as many as 100 million cards issued by more than 650 financial services companies might have been compromised in the 2008 breach. Heartland had deployed encryption throughout their systems, however, to determine the next point for the data to travel, they had to decrypt the data and read it in clear text, which left the data vulnerable. This left their security environment with many air-gaps. Hackers exploited the encryption gap with a SQL injection attack that siphoned off credit and debit card numbers.
After the breach, Heartland vetted many solutions and reached the conclusion that a data-centric solution was the best option for their infrastructure. Heartland deployed our HPE SecureData Payments. HPE SecureData Payments solution provided a true end-to-end data protection payments solution that protected data from the card swipe/dip through to Heartland’s back-end systems. The solution is designed to safeguard cardholder data throughout the lifecycle of the payments transactions, enabling Heartland to use end-to-end encryption across all its transaction processing systems.
The ability to leverage cutting edge technologies such as HPE Format-Preserving Encryption (FPE) and HPE Secure Stateless Tokenization (SST), enabled Heartland to protect the data at-capture and keep it protected throughout its lifecycle. There is no longer a need to decrypt it to determine where it goes next. Card-holder data ends up staying in its protected state.
HPE FPE makes sure credit and debit card numbers are never exposed while retaining their format so merchants were not forced to change any of their systems or processes. Another benefit was greatly reduced PCI assessment cost and audit time for Heartland’s customers by protecting point of sale (POS) systems from audit scope.
Unlike his counterparts who tend to stay off the record on security breaches, Bob Carr has gone public with Heartland’s story to encourage companies to share information about attacks and band together against cybercriminals who themselves are becoming more sophisticated.
Here him in his own words: