September 17, 2009, 12:00 AM

Heartland spends $32 million during first half on breach-related activities

Heartland Payment Systems spent about $32 million in the first six months of this year on forensics, and legal work related to the December 2007 database breach, CEO Robert Carr told a U.S. Senate committee this week.

Paul Demery

Managing Editor, B2B E-commerce

Heartland Payment Systems Inc. spent about $32 million in the first six months of this year on forensics, legal work and other activities related to the December 2007 database breach that resulted in the theft of millions of credit and debit card numbers, CEO Robert Carr told the U.S. Senate Committee on Homeland Security and Government affairs this week.

In his testimony, Carr also called for better cooperation between the financial industry and the government, including the sharing of information on security threats, to protect data from cyber criminals. As part of an effort to share such information, Heartland pushed for formation of a committee-the Payments Processing Information Sharing Council-within the Financial Services Information Sharing and Analysis Center to share information about fraud, threats, vulnerabilities and risk mitigation practices, he said.

“At the PPISC, I shared with the payment industry members the malware which we discovered had been used to victimize Heartland,” Carr said. “I believe that by sharing this with others, including our industry competitors, we can better respond to organized attackers.”

In the December 2007 attack, hackers used so-called SQL injection strings to break into a merchant-facing payroll page, placing malware into Heartland’s corporate system. The malware eventually worked its way into the payment processing system, enabling criminals to access unencrypted in-transit payment card data during the transaction and authorization process, Carr said.

Carr again made a pitch for end-to-end encryption, which he said is the only way to prevent criminals from using stolen data. Heartland is in the process of developing a technology called E3 that encrypts data at the point of sale and keeps it encrypted until it reaches the payment card settlement and authorization networks.

“We are working with various suppliers of the technology to make E3 a reality and more ubiquitous,” Carr said. “We are hopeful that these efforts will minimize the costs to merchants while not inconveniencing cardholders and yield a payment processing system that is more secure.”

Heartland this week also launched E3secure.com, an educational web site about end-to-end encryption technology and the E3 solution.

Comments

Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!

Advertisement

Advertisement

Advertisement

Relevant Commentary

FPO

Jason Squardo / Mobile Commerce

Five tips for achieving high mobile search rankings

Searches on mobile devices will soon exceed those on computers, Google says. Retailers that keep ...

FPO

Sergio Pereira / B2B E-Commerce

Quill turns to its B2B customers for new ideas

Coming in April is a new section of Quill.com that will let customers and Quill ...

Advertisement