Since revealing a major theft of its networked customer data, Heartland Payment Systems is promoting end-to-end encryption of credit card data—the lack of which leaves a major security hole in stored account data, experts say.
Since revealing a major theft of its networked customer data, Heartland Payment Systems is promoting end-to-end encryption of credit card data-the lack of which leaves a major security hole in stored account data, experts say.
The existing Payment Card Industry Data Security Standard, commonly known as PCI-DSS, has been an effective way to protect stored credit card account data, but more sophisticated criminal techniques are requiring a new level of security, Heartland chairman and CEO Robert Carr says. “The bad guys have become more sophisticated to the point where encryption of data in motion appears to be the next required steps,” he says.
The problem with existing security guidelines and systems, experts say, is that account data stored once a credit card transaction occurs must be momentarily unencrypted at some point so that payment processors and financial institutions can use the data.
“The moment information is decrypted and sent over a secure wire, there is usually no way for a criminal to get to the information, but if someone knows the processing model a company is using, they may be able to get to account information when it’s decrypted and in plain text,” says Andrew Lauter, chief technology officer of Accertify Inc., a provider of technology and services for preventing fraud in card-not-present payment transactions. In such a breach, a criminal would probably inject into a payment processor’s network malicious software designed to pull information at the exact point when the data was decrypted and in a readable form-a tough task to pull off, but not impossible, Lauter says.
Although Heartland hasn’t blamed that kind of intrusion for its data breach, it says it wants to make it impossible for it to occur on its network. “We hope to develop encryption technology so that if someone gets into our system, they won’t be able to ever use the data they find,” a spokesman says. Heartland processes about 100 million card transactions per month, though the company has not said how many accounts were compromised in the data breach, he adds.
Technology to support end-to-end encryption is already widely used outside of the payment card industry, says Julie Fergerson, vice president of emerging technologies at Debix Inc., a company that helps merchants and financial institutions protect consumer account data. But though it is quite feasible for use in payment card processing, putting it to work in the payment card industry would require a massive upgrading of technology including retail point-of-sale systems, merchant acquirer networks and the technology backbones at credit card associations including Visa and MasterCard, Fergerson says.
Nonetheless, the payment card industry may have no choice but to eventually deploy end-to-end data encryption to keep ahead of credit card fraud, adds Fergerson, who is also co-founder of the Merchant Risk Council, an organization that promotes payment security at online merchants. “It would be a pretty big undertaking, but credit card fraud is a huge problem and only getting worse,” she says.
Avivah Litan, a security technology analyst at research and advisory firm Gartner Inc., says that while end-to-end encryption would require a significant effort, it may be less of an overall effort compared to improving security through alternative efforts in network administration and auditing. She adds that some retailers, whom she was not free to name, could be expected to announce their own end-to-end encryption projects this spring.
Lauter adds that companies that hold consumer account data should also work on making their networks more bullet-proof. “To me the largest question mark is, if someone breaks into a secured network with multiple layers of defense, which layer didn’t work?”