September 17, 2009, 12:00 AM

Heartland spends $32 million during first half on breach-related activities

Heartland Payment Systems spent about $32 million in the first six months of this year on forensics, and legal work related to the December 2007 database breach, CEO Robert Carr told a U.S. Senate committee this week.

Heartland Payment Systems Inc. spent about $32 million in the first six months of this year on forensics, legal work and other activities related to the December 2007 database breach that resulted in the theft of millions of credit and debit card numbers, CEO Robert Carr told the U.S. Senate Committee on Homeland Security and Government affairs this week.

In his testimony, Carr also called for better cooperation between the financial industry and the government, including the sharing of information on security threats, to protect data from cyber criminals. As part of an effort to share such information, Heartland pushed for formation of a committee-the Payments Processing Information Sharing Council-within the Financial Services Information Sharing and Analysis Center to share information about fraud, threats, vulnerabilities and risk mitigation practices, he said.

“At the PPISC, I shared with the payment industry members the malware which we discovered had been used to victimize Heartland,” Carr said. “I believe that by sharing this with others, including our industry competitors, we can better respond to organized attackers.”

In the December 2007 attack, hackers used so-called SQL injection strings to break into a merchant-facing payroll page, placing malware into Heartland’s corporate system. The malware eventually worked its way into the payment processing system, enabling criminals to access unencrypted in-transit payment card data during the transaction and authorization process, Carr said.

Carr again made a pitch for end-to-end encryption, which he said is the only way to prevent criminals from using stolen data. Heartland is in the process of developing a technology called E3 that encrypts data at the point of sale and keeps it encrypted until it reaches the payment card settlement and authorization networks.

“We are working with various suppliers of the technology to make E3 a reality and more ubiquitous,” Carr said. “We are hopeful that these efforts will minimize the costs to merchants while not inconveniencing cardholders and yield a payment processing system that is more secure.”

Heartland this week also launched, an educational web site about end-to-end encryption technology and the E3 solution.

comments powered by Disqus




From The IR Blog


Cynthia Price / E-Commerce

4 tips for improving email marketing results

Every piece of data you collect can help you serve your audience exactly what they ...


Bart Mroz / E-Commerce

How smaller retailers can utilize data as effectively as Amazon

Smaller companies have more constraints, but once they set priorities can still benefit greatly from ...

Research Guides