Heartland CEO: More Card Encryption Needed

The top executive at Heartland Payment Systems Inc. last week called on credit card vendors, payment processors and retailers to embrace an encryption standard that would protect credit and debit card numbers.

Robert Carr, Heartland's chairman and CEO, told the U.S. Senate Homeland Security and Governmental Affairs Committee that industry guidelines today don't require encryption of credit card numbers during transit between retailers, payment processors and card issuers.

Earlier this year, Princeton, N.J.-based Heartland disclosed that a breach there exposed data stored on tens of millions of credit cards to a gang of hackers.

"I now know that this industry needs to, and can, do more to better protect it against the ever-more-sophisticated methods used by these cybercriminals," Carr said, adding that Heartland is deploying tamper-resistant point-of-sale terminals at its member retailers.

"I believe it is critical to implement new technology, not just at Heartland, but industrywide," he added.

Last spring, the company also helped form the Payment Processor Information Sharing Council, where payment processors can exchange information about threats, vulnerabilities and best practices, Carr said.

The Senate hearing was held in part to determine whether new legislation is needed to fight cybercrime.

Carr didn't offer details about the Heartland breach during the hearing, but he did respond to some pointed questions from senators about the incident.

For example, Sen. Susan Collins (R-Maine) sought to find out how the company could be compromised from October 2006 to May 2008 without discovering the breach.

"There was no hint of fraudulent use of cards that came to our attention until toward the end of 2008," Carr responded. "Cybercriminals are very good at masking themselves."

Under questioning from Sen. Joe Lieberman (I-Conn.), Carr acknowledged that the company still hasn't determined exactly how many cards were compromised in the breach, which he called a "significant compromise."

Some analysts have said that more than 100 million cards may have been exposed, which would make it the biggest breach ever involving payment card data.

This version of the story originally appeared in Computerworld's print edition.

Copyright © 2009 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019
Shop Tech Products at Amazon