Heartland Takes Aim at POS Fraud

Breached Processor Launches Effort to Secure Merchants
Heartland Takes Aim at POS Fraud

Heartland Payment Systems, a payments processor that suffered a massive breach in 2009, is now taking steps to help the merchants that it serves enhance security.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

In the wake of recent point-of-sale breaches at two Heartland clients - restaurant chain Penn Station and a locally owned Mexican restaurant in Winchester, Ky. - Heartland executives say they are taking a proactive approach to security.

The processor is helping merchants comply with the Payment Card Industry Data Security Standard and educating them about POS and payment card security, as well as assisting them with POS hardware and network upgrades.

And Heartland also is assisting its merchants with post-breach investigations.

John South, Heartland's chief security officer, says the processor is offering advice because many merchants lack security expertise. "Their specialty is not in securing networks," he says. "And many have little or no experience in installing hardware or software to do that."

Breach Investigation Assistance

By working with merchants, Heartland is sharing the lessons it learned in the aftermath of its own breach, which affected an estimated 130 million credit and debit cards.

The company was transparent about its security failures, and it spearheaded action to enhance card security and PCI compliance across the industry. Heartland used its breach experience as proof that the payments industry needed to move toward end-to-end encryption of data in transactions.

Once Penn Station identified its network breach in June, Heartland came in to lead the investigation. South would not comment on the breach , which affected nearly 100 franchised locations. But he acknowledges that Heartland is offering post-breach investigation assistance to any of its merchant clients that needs help.

"Every investigation is different, and there's no specific time-frame for how long an investigation can take," South says.

At the Puerta Grande restaurant in Kentucky, the breach was contained, so Heartland's investigation was brief. But the processor responded by upgrading the restaurant's POS network to its E3 POS system, a hardware-based end-to-end encryption technology that removes the merchant from the process of managing encryption keys locally.

"It has a tamper-resistant model," says Larry Godfrey, who oversees payment solutions design at Heartland. "If someone tries to go in to tamper with the [encryption] keys, the system will just wipe them out."

South says it's not that restaurants have weaker security; it's just that hackers see restaurants as attractive targets because of their high transaction volumes.

Remote Access: The Greatest Worry

Looking ahead, South says remote-access hacks are today's biggest concern - and every merchant is potentially vulnerable.

"Statistically, right now, remote-access capabilities, for whoever installs the system, are posing the greatest threat," he says. "Card skimming is still a problem, but it's just one of several ways that card data can be attacked."

What's made remote-access so susceptible to attack is that hackers have figured out how to compromise older versions of software. They look to exploit weaknesses, such as a manufacturer's default access password that was never changed, or a software vulnerability that wasn't patched.

And when POS networks are integrated with enterprise networks, the vulnerabilities increase.

"Truly, the greatest vulnerability in any scenario is probably still the fact that most people can be socially engineered fairly easily," South says. "That's why we're working to educate our merchants about why it's critical they be careful when it comes to how they respond to anything suspicious," whether an e-mail or phone call.

Heartland is connecting merchants with card issuers through organizations like the Financial Services Information Sharing and Analysis Center, to keep them abreast of emerging fraud trends. And the processor says it's also helping merchants find qualified security assessors to assist them with ongoing PCI compliance.

"Information sharing is a big part of it, and it's not just what we pass along as best practices," South says. "It's proactively putting mechanisms in place to help our merchants get more information and education about the trends."

What It Means for Card Issuers

One key step toward improving card security, Godfrey and South say, is for issuers to replace outdated payment cards.

"The fundamental problem is that magnetic-stripe cards are still being issued, and that mag-stripe allows information to be read in clear form," Godfrey says.

A migration to chip cards, end-to-end encryption from transaction initiation at the POS to fulfillment at the processor, and tokenization are the best ways to protect card data, South and Godfrey say.

Card-issuing institutions should provide merchants with incentives to upgrade their systems to accept chip cards that meet the Europay, MasterCard, Visa Standard, Godfrey says.

"If they offered interchange incentives to merchants that move to encryption, tokenization or EMV, that would make a difference," he says. "The best thing I could see the issuers doing is rewarding those merchants that are willing to make the upgrades."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network