Tuesday, June 23, 2009
The IAPP (www.privacyassociation.org) is the leading forum for information privacy and is the recognized authority in this space worldwide. In nine years, it has gone from zero to 6,200 members and has developed the Certified Information Privacy Professional certification.
By now, everyone in the ISO community must be aware that Heartland's security was breached in 2008. In his address, Carr discussed his company's experience in dealing with this and presented a bold program designed to eliminate data security vulnerabilities in the payment processing chain.
A year or two from now, people will admit, some admiringly and some grudgingly, that what Carr will have accomplished by then is nothing less than a complete restructuring of how data is captured, processed, archived and moved in the credit card industry. If you have ever worked with the bureaucracies involved here, you will immediately grasp what a monumental effort this really is.
Heartland suffered a malware attack (an SQL injection via a customer facing Web page), found it and made a best efforts project of cleaning it up. But at the time no one realized the job had not been completed properly.
Carr doesn't blame the auditors for the breach – in spite of the fact that Heartland was intensively audited and received six clean audits in a row; plus it had routine penetration testing every year with no problems found. He also admits that, at this point, Heartland is still on probation, and he doesn't know how it all is going to end.
He doesn't ask for sympathy, but everyone in the room clearly wondered what it must have been like for Carr to live through this.
Imagine: You are running the fifth largest payment processor in the United States (ninth largest in the world), processing 11 million transactions a day for a quarter of a million merchants who are funded to the tune of $80 billion a year, and suddenly you are delisted by Visa Inc. Your stock price drops from $15 a share to $3.43.
Heartland immediately re-imaged all its servers (the malware was on multiple servers with gateways or dial traffic), added additional network segmentation, increased monitoring and added loss prevention security layers. The company also bought Vontu (an outstanding tool for data loss protection, Carr said), and has done everything else the card brands requested.
Most people don't know that Carr is an information technology geek: As a student at the University of Illinois he wrote computer programs. He then taught programming at a local college and ultimately became Director of the college's computer center. So he was able to approach this situation from a technical perspective.
Carr decided to develop true end-to-end encryption. He approached the American National Standards Institute and formed an industry association – the Payments Processing Information Sharing Council, which is under the umbrella of the Financial Services Information Sharing Council – to get industry buy-in.
The PPISC fosters cooperation among the top 50 acquirers, as well as all third-party processors that provide services to issuers and other acquirers.
Carr doesn't criticize the Payment Card Industry (PCI) Data Security Standard (DSS); he says it is a good thing and serves to protect the 6 million merchants whose acquirers use it. But it is a cat and mouse game; PCI contains 230 requirements and must be monitored continually.
Also, if an insider wants to help the "Bigees" (Bad Guys in Eastern Europe), a company is vulnerable to foul play if it does not encrypt data. Carr does not believe chip and PIN will be widespread here soon either; it requires too many people to agree and too much infrastructure change.
He noted that tokenization is an improvement over what is in place but does not entirely eliminate transmitting credit card information in the clear. Additionally, secure sockets layer technology is point to point, not end to end: As it goes from one end to the other, it drops off the end of the pipe, and that's where the sniffers are.
Carr's solution is to encrypt data as it is being taken off the mag stripe, just like you do with PIN debit: You enter the PIN, and the digits are encrypted into a mini Hardware Security Module (HSM) and stay encrypted throughout the system. A Tamper Resistant Security Module (TRSM) reads card verification value data off the card and encrypts it before it is transmitted.
The big news is that Carr is building a TRSM that encrypts the digits in a hardened box, so, yes, the merchant will have to change the mag stripe reader. Heartland will offer a solution for under $500 per POS. This is déjà vu, just like when electronic ticket capture became available: It was a game-changing event for the ISO community – actually the game changing event.
Carr sees this as a five-zone project: Zone One covers the data from the point of origination to the processor's gateway or network. Zone Two is within the processor's network. Zone Three consists of the HSM's and central processing units within the network. Zone Four is all data at rest in data warehouses, databases and archives. Zone Five covers the data to the issuer through the card brand network.
Carr believes mandates aren't required, that the marketplace will develop good solutions over the next two to three years. I see this effort as on par with the NASA moon shot in difficulty, but perhaps I am too jaded an observer. I do know that if anyone can make it work, it will be Carr.
In reflecting upon data breaches, you might think, "This can never happen to me." Maybe you think your operation is not as big a target as Heartland, or perhaps you think you have airtight security. Maybe: In 2008, there were 635 breaches, but I didn't hear of more than a handful. This is about trust, and trust is the foundation of the information economy.
Recent studies of terminated employees show that people feel comfortable taking data belonging to their employers with them when they leave. This should really scare you. This is why the privacy business is a growth business: The IAPP, for example, has 6,200 members and is just getting started.
Your merchants need to feel certain you are handling their data in a way that meets generally accepted data security practices, and it is this standard to which your company will be held. Carr is elevating the standard, but he said "knowledge of security threats should not be viewed as a competitive advantage."
The bad guys out there are aggressive, smart, numerous and well-funded, and they are talking to each other. Shouldn't we be doing the same?
Editor's Note: This is a special report to The Green Sheet from Brandes Elitch, Director of Partner Acquisition for CrossCheck Inc. He has been a cash management practitioner for several Fortune 500 companies, sold cash management services for major banks and served as a consultant to bankcard acquirers. He can be reached at email@example.com.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.