Breached Heartland looks to end-to-end data encryption

Breached Heartland looks to end-to-end data encryption

After suffering a massive data breach last year, Heartland Payment Systems has questioned the effectiveness of current industry security standards and called for the adoption of end-to-end data encryption.

Heartland admitted last week that it had found malicious software in its processing system, potentially compromising the card data of millions of people.

The firm now says it is setting up a dedicated department - led by Steven Elefant - to develop end-to-end encryption, ensuring data is secure in motion on corporate networks.

The Payment Card Industry Data Security Standard (PCI DSS) only requires firms to encrypt cardholder data when transmitted across open, public networks.

Robert Carr, chairman and CEO, Heartland, says: "PCI is a good and effective standard, but the bad guys have become more sophisticated to the point where encryption of data in motion appears to be one of the next required steps."

Heartland claims Carr has been calling for payments industry adoption of end-to-end encryption for over a year and is in discussions with other firms about improving security.

He also slams a lack of communication within the industry and says: "I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

In a blog for vendor Voltage Security, Luther Martin says: "Heartland appears to be an example of an organisation which assumed that simply passing its PCI audit meant that it was truly secure."

He adds: "This incident should serve as a wake-up call that PCI should be used as a starting point instead of an end point in the effort to protect sensitive data."

Comments: (1)

A Finextra member
A Finextra member 28 January, 2009, 20:43Be the first to give this comment the thumbs up 0 likes

Price Waterhouse Cooper and Carnegie-Mellon's CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture - absent new eCulture, breaches will, and continue to, increase. For example: Microsoft patched for this worm 4 months ago. As CIO, I'm constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www dot businessforum dot com/DScott_02 dot html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities - read the book BEFORE you suffer a bad outcome - or propagate one.

Find out more

Trending Stories