X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.

Heartland Payment Systems’ CEO, Robert Carr, revealed last week that the company has begun to make its end-to-end encryption devices available to its merchant clients. At the same time he blamed Heartland’s previous PCI auditors for the firm’s significant card security breach.Heartland suffered what some have considered the largest card data breach in U.S. history in 2008 and revealed it had discovered the breach in January 2009. An indictment against the man authorities alleged led the robbery effort was disclosed this week.Since revealing the breach, Heartland has faced significant litigation and has become a vociferous advocate for so called “end-to-end” encryption that the company argued would protect card data not only when at rest on a processor’s servers but also while being sent from point to point in the approval process. The firm has joined technical panels charged with developing a data standard for this sort of encryption, and the company has launched its own research effort to develop a standard.Carr told CSO Magazine, a journal that specializes in covering computer security and data protection issues, that the company had reached a milestone in its end-to-end encryption effort to the point where it was ready to add encryption devices to its card readers.“We contracted with Voltage Security to use their encryption technology,” Carr told the magazine. “We have absorbed that cost and the cost of developing an encryption device. We are not passing that on to customers. We haven’t increased anyone’s pricing. That said, customers who want to go to our new encryption device will have to rent or buy it. It will cost under $500, approximately. The savings they’ll get from not having card numbers in their systems will be worth it. The technology will prevent raw numbers from being transmitted in the clear.”He also disavowed Heartland of at least some of the responsibility for the breach, placing the blame instead on the firm the company relied upon to audit its card data security compliance.“The audits done by our QSAs [qualified security assessors] were of no value whatsoever,” Card said. “To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”This drew swift disagreement from several computer industry experts and analysts.“As the CEO of a large public company, you clearly understand the role of audits, assessments and auditors,” wrote Rich Mogull, CEO of Securosis, a computer security research and advisory firm, in an open letter to Robert Carr on the firm’s Web site (www.securosis.com). “You are also fundamentally familiar with the concepts of enterprise-risk management and your fiduciary responsibility as an officer of your company. Your attempts to shift responsibility to your QSA are the accounting equivalent of blaming your external auditor for failing to prevent the hijacking of an armored car.”Mike Rothman, senior vice president for strategy with eIQnetworks, a computer security consultancy, called Carr’s blaming the auditing firm “outrageous” and added that it made him doubt that the card processor had really learned anything from its breach experience.He also called Heartland’s end-to-end encryption effort “ridiculous,” arguing that the devices are too expensive at $500 to be a really practical solution and that Heartland had not yet secured agreement from other parts of the payments system to make end-to-end encryption a reality. “It nice that they can encrypt data in their own footprint, but what happens when it leaves,” Rothman asked.Rothman suggested the Heartland end-to-end encryption effort had more to do with the firm trying to ease its post-breach litigation challenge and avoid responsibility for the breach than develop a lasting end-to-end encryption standard.–[email protected]

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
  • Exclusive discounts on ALM and CU Times events.
  • Access to other award-winning ALM websites including Law.com and GlobeSt.com.

Already have an account?

Credit Union Times

Join Credit Union Times

Don’t miss crucial strategic and tactical information necessary to run your institution and better serve your members. Join Credit Union Times now!

  • Free unlimited access to Credit Union Times' trusted and independent team of experts for extensive industry news, conference coverage, people features, statistical analysis, and regulation and technology updates.
  • Exclusive discounts on ALM and Credit Union Times events.
  • Access to other award-winning ALM websites including TreasuryandRisk.com and Law.com.

Already have an account? Sign In Now
Join Credit Union Times

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.