Back in February, in a post entitled Heartland Exposes It's Own Card: I wrote: Is Heartland was going to take the position that they are a "plaintiff" rather than a "defendant" against claims from cardholders/issuers and V/MC themselves? Will they shoot back or is PCI DSS certification going to shoot down any argument that V/MC may have? Heartland Payment Systems, Bob Carr shows one of his cards. In their newly released 4th Quarter Earnings Report he says that one of the biggest challenges they face in regards to the breach is "defending" claims that the "cardholders" "card issuers" V/MC, regulators (and others) have asserted (or may assert). For the first time (that I've seen) he implies that:
they intend to vigorously defend any such claims, and they have "meritorious defenses" to those claims.
So it appears that they are preparing to claim that they are the plaintiffs and the defendants are going to be the brands (V/MC) Undoubtedly, they will use their PCI DSS certification as a launching pad to deter blame from them to others. PCI DSS may be the bullet that Heartland fires back with if V/MC tries to shoot them down. This is going to be an interesting legal development and the PIN Payments Blog will keep a close eye on further developments...
Well, here's the latest development. Heartland says they completed Phase 1 of their E2EE Pilot and identified "5 Zones" which the transaction has to travel through in order to obtain full end-to-end encryption. Problem is, unlike PINs, Card Numbers are NOT received by Visa/MC encrypted. So, they took advantage of this ailment and identified it. It's a most interesting approach to the beginnings of their "vigorous" defense. In the following press release you will see that they successfully ran (transmitted) an encrypted transaction through "4 of the 5 zones." 1 of the 5 could NOT be done, which logically "exposes" the culprit in the chain of command. "The Card Brands." Apparently the best move, when you're under the gun" is to turn it around and point the finger at the weakest link. Clever indeed.
Here's their Press Release:
Heartland Payment Systems Successfully Completes First Phase of End-to-End Encryption Pilot
First AES-encrypted transaction from a merchant card reader to and through a major processor network completedPRINCETON, N.J.--(BUSINESS WIRE)--Heartland Payment Systems (NYSE: HPY - News), one of the nation’s largest payments processors, yesterday successfully completed the first phase of its end-to-end encryption pilot project. This first step involved the transmission of live AES (Advanced Encryption Standard)-encrypted card transactions from a merchant to Heartland’s processing platform. AES is the highest level of encryption and is currently on track to replace DES (Data Encryption Standard) and Triple DES as the desired standard for sensitive data.
- Press Release
- Source: Heartland Payment Systems
- On Tuesday June 30, 2009, 7:25 am EDT
According to Robert O. Carr, Heartland’s chairman and chief executive officer, to his knowledge, this is the first time encrypted transactions have been sent from a merchant’s card reader to and through a major processor’s payments network.
“Yesterday’s transactions involved a Texas-based merchant and multiple credit card, prepaid and signature debit card transactions testing each of the major card brands,” Carr explained. “These cards were read by our newly developed pilot tamper-resistant security module (TRSM) terminal. The data was encrypted as the electronic digits left the magnetic stripe and entered the TRSM hardware device. The data was then successfully transmitted to and through our processing platform for authorization and settlement.
“Typically, cardholder data is unencrypted as it leaves a merchant’s terminal and is not encrypted until it is either tokenized in a gateway or at rest in the processing platform’s data warehouse,” Carr explains. “This means cardholder data in transit is at risk of being compromised should it get in the hands of cyber criminals or hackers via such methods as network or memory sniffer malware. To protect data throughout the lifecycle of a credit, debit or prepaid card transaction, Heartland is developing end-to-end encryption technology we call E3™ that is designed to encrypt the transaction from the card read through our network and ultimately through transmission to the card brands.”
For Heartland, E3 protection involves five payment zones:
Zone 1: From data entry/card read at the merchant to the authorization network of the processor.
Zone 2: From the entry into the authorization network of the processor and through all points in which data is in motion within the network(s) of the processor and its sub-contractors.
Zone 3: While the data resides in a central processing unit (CPU) or a host security module (HSM).
Zone 4: In a direct access storage device (DASD) or archival storage.
Zone 5: From the processor to the authorization and settlement centers of the card brand or issuer.
“Monday’s successful test involved Zones 1, 2, 3 and 4,” detailed Steven M. Elefant, Heartland’s executive director of end-to-end encryption. “We believe that protecting data in these zones alone will significantly impact the protection of cardholder data.
Editor's Note: What? Imagine that, no Zone 5. This is one helluva clever way to expose Zone 5 as the culprit in the system. And it sets up their legal defense
“In Q4, Heartland expects to enhance protection in Zone 3,” Elefant continued. ”Protecting data in Zone 5 is contingent on the card brands. We are in active discussions with several of the brands, and our conversations have been very positive. Some card brands have indicated a willingness to pursue accepting transactions from those processors who send encrypted data. While we work on Zone 3 and collaborate with the brands on Zone 5, the next phase of this pilot project involves integrating a set of security-protected chips which we expect will further safeguard the data throughout the lifecycle of the transaction. Heartland plans to pilot this next phase in Q309.”
“We plan to continue to expedite the development of E3 and launch it commercially late this year,” Carr concluded. “We also plan to continue working with the ANSI ASC X9 Committee which is crafting an end-to-end encryption standard and follow that standard as much as practical. We are also working with established US equipment and software manufacturers to implement their TRSM devices into our E3 approach as soon as possible. We believe the marketplace will accept this higher level of payments security and are willing to share our knowledge and learnings with all industry stakeholders via the Payment Processors Information Sharing Council, FS-ISAC and Secure POS Vendor Alliance organizations.”
About Heartland Payment Systems
Heartland Payment Systems, Inc., a NYSE company trading under the symbol HPY, delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide. Heartland is the founding supporter of The Merchant Bill of Rights, a public advocacy initiative that educates merchants about fair credit and debit card processing practices. For more information, please visit http://www.heartlandpaymentsystems.com and http://www.MerchantBillOfRights.com.
