Merchants caught in middle of Heartland, VeriFone dispute

Battle over encryption technology could leave thousands with questionable support

Tens of thousands of customers of Heartland Payment Systems are finding themselves caught in the middle of an escalating war between the payment processing vendor and point-of-sale terminal vendor VeriFone Inc.

Both companies are angrily accusing each other of a litany of misdeeds and have filed a total of four lawsuits in three courts over the past two months.

The dispute is threatening to push back industry efforts to implement new encryption technology for protecting credit and debit card data. It has also left thousands of merchants in serious doubt about the quality of support they will receive for their point-of-sale (PoS) systems over the next few months.

At the center of the dispute is a tamper-resistant security hardware design for payment processing terminals that Heartland is planning to use in its new E3 end-to-end encryption system.

The technology is designed to enable merchants to encrypt card data from the moment a card is swiped at a payment terminal to the point where it comes to rest at the card issuing bank. Besides offering E3 to other PoS vendors, Heartland is planning on manufacturing its own terminals featuring E3 technology.

Heartland launched the encryption effort in the wake of the disastrous systems intrusion last year that exposed data on more than 100 million credit and debit cards. It's the first major end-to-end encryption effort in the industry.

The Princeton, N.J.-based Heartland is one of the largest payment card processors in the country with more than 250,000 merchants using its transaction processing services. Of those, about 175,000 merchants use VeriFone's payment terminals. Heartland claims that less than 50% of its customers user VeriFone terminals.

VeriFone sued Heartland in September, claiming infringement of VeriFone's tamper-resistant security technology in building E3. VeriFone claimed that Heartland was gearing up to be a competitor by manufacturing its own PoS terminals featuring the E3 technology.

In the weeks since filing the lawsuit, VeriFone has mounted a vigorous communication campaign warning Heartland customers about the potential disruptions they could face if they fail to register with VeriFone by Dec. 31. In statements posted on its Web site, press releases and court filings, VeriFone has questioned Heartland's ability to continue supporting VeriFone terminals after Dec. 31.

Verifone has also filed a second lawsuit over misleading claims by Heartland.

"If Heartland were to be cut from any support, its customers would be forced to reach out directly to VeriFone," a VeriFone spokesman said today in an e-mail. After Dec. 31, Heartland merchants who do not make other arrangements have no assurance of software updates, troubleshooting or other intervention by VeriFone, the spokesman said. "Heartland certainly cannot by itself update and maintain VeriFone code and to claim otherwise is ludicrous," he said.

In a countersuit, Heartland said VeriFone brought the lawsuit only because Heartland wanted to work with other manufacturers -- and not just Verifone -- to produce E3 terminals. In a lengthy open letter posted on the company's Web site a few weeks ago Heartland CEO Robert Carr claimed that VeriFone didn't want Heartland to work with other manufacturers to produce E3 terminals and instead wanted to be the sole E3 terminal provider.

Carr has also accused VeriFone of wanting to "line its own pockets" by seeking to charge merchants an unnecessary fee for implementing E3 technology on VeriFone's payment systems.

Heartland insists that it can support all of its customers who are using VeriFone payment terminals. In a second lawsuit filed this month, Heartland accused VeriFone of "false claims" and "unethical attempts" to scare customers over service and support issues. Carr has also maintained that VeriFone's real reason in getting merchants to sign up for the free support is so that it can compile a customer list which it then plans on giving to Heartland's rivals in return for their business.

Speaking with Computerworld today, Carr bluntly accused VeriFone of "lying." VeriFone's claim that Heartland would be unable to support merchants using VeriFone's terminals, is a deliberate distortion of the facts, he said.

Carr insisted that the company has the parts, the inventory and alternative sources of supply to continuing support merchants using VeriFone terminals. We dont need their software, we dont need VeriFone at all, Carr said.

The dispute is likely to having a chilling effect on end-to-end encryption attempts in the payment industry, said Andy Bokor, chief operating officer of Trustwave, a Chicago-based company that conducts security and compliance testing for some of the largest merchants in the country.

"Many of us in the payment industry were curious to see how Heartland's end-to-end encryption would work," Bokor said. Considering how the effort was touted as the "next big thing in the industry, it is a little disheartening to see that there can't be more cooperation," between Heartland and VeriFone, Bokor said.

The dispute highlights the need for payment processors and vendors of PoS systems to work together to implement any kind of end-to-end encryption, he said.

Avivah Litan, an analyst with market research firm Gartner Inc., said the lawsuits will only serve to further confuse merchants about end-to-end encryption efforts.

Many merchants are hesitant to implement the technology because it offers them no immediate benefit from a compliance standpoint, Litan said. The dispute will only serve to further "stifle efforts and movement in this area" she said. "For now, the main parties that are interested in this technology are the payment processors and terminal manufacturers that are trying to sell it to their clients in order to increase their revenues. "

8 highly useful Slack bots for teams
  
Shop Tech Products at Amazon