Heartland Comes Out Swinging After Data Breach - Business Center - PC World
"In the months following the disclosure of what may be the largest data breach in US history, Robert O. Carr, chairman and CEO of Heartland, has come out swinging. Instead of going into a near-death spiral of damage control mitigating the revelation that 100 million customer records leaked during 2008, Carr has been pointing the finger at the payment industry itself for not going far enough with best practices. Heartland has taken advantage of several merchant associations to promote new initiatives that could revolutionize the payment card industry beyond PCI DSS compliance.
Carr has been quite frank when talking about the breach itself, as opposed to the relative silence from TJX after its data breach back in 2007. Heartland said early on that they believed someone placed a listener program in the stream where data in motion was not encrypted. When the Payments Processing Information Sharing Council (PPISC) met for the fist time this week in St. Pete Beach, Florida, Carr took the unusual step of handing out USBs with the malware code found on the Heartland system at the time of their breach as well as malware discovered through other data breach investigations in 2008 and 2009 so other payment processors could look for malware on their own systems. Carr said in his Q1 2009 Earnings Call on Thursday that other industries share security information like this, why can't the card processors?
Additionally, Heartland is in the process of developing a true end-to-end (E2E) encryption solution for its merchants. What's different is that Heartland wants to be the first payment processor to ensure that data remains encrypted all the way from the point of sale through the processing by the card company."
Continue Reading at PC World
The only way for TRUE end-to-end encryption to occur is for Visa and MasterCard to change the way they process transactions entirely. This is probably just a legal maneuver on Heartland's part (MasterCard recently hit them with a multi-million dollar fine) and certainly a PR move.
For example. On Telephone-Order transactions the consumer provides their credit card number and expiration date to the operator. Where's the encryption? For e-commerce the consumer "types" their credit card number, expiration data AND CVV into boxes and presses submit. Where's the encryption? And don't tell me the HTTTPS BS.
The only 3DES End-to-End Encrypted Transaction protected by DUKPT and PCI 2.0 certified solution for eCommerce in the world comes from the engineers at HomeATM. How's that for some PR?