Heartland completes first phase of encryption pilot

Source: Heartland Payment Systems

Heartland Payment Systems (NYSE: HPY - News), one of the nation's largest payments processors, yesterday successfully completed the first phase of its end-to-end encryption pilot project. This first step involved the transmission of live AES (Advanced Encryption Standard)-encrypted card transactions from a merchant to Heartland's processing platform. AES is the highest level of encryption and is currently on track to replace DES (Data Encryption Standard) and Triple DES as the desired standard for sensitive data.

According to Robert O. Carr, Heartland's chairman and chief executive officer, to his knowledge, this is the first time encrypted transactions have been sent from a merchant's card reader to and through a major processor's payments network.

"Yesterday's transactions involved a Texas-based merchant and multiple credit card, prepaid and signature debit card transactions testing each of the major card brands," Carr explained. "These cards were read by our newly developed pilot tamper-resistant security module (TRSM) terminal. The data was encrypted as the electronic digits left the magnetic stripe and entered the TRSM hardware device. The data was then successfully transmitted to and through our processing platform for authorization and settlement.

"Typically, cardholder data is unencrypted as it leaves a merchant's terminal and is not encrypted until it is either tokenized in a gateway or at rest in the processing platform's data warehouse," Carr explains. "This means cardholder data in transit is at risk of being compromised should it get in the hands of cyber criminals or hackers via such methods as network or memory sniffer malware. To protect data throughout the lifecycle of a credit, debit or prepaid card transaction, Heartland is developing end-to-end encryption technology we call E3™ that is designed to encrypt the transaction from the card read through our network and ultimately through transmission to the card brands."

For Heartland, E3 protection involves five payment zones:

Zone 1:

From data entry/card read at the merchant to the authorization network of the processor.

Zone 2:
From the entry into the authorization network of the processor and through all points in which data is in motion within the network(s) of the processor and its sub-contractors.

Zone 3:
While the data resides in a central processing unit (CPU) or a host security module (HSM).

Zone 4:
In a direct access storage device (DASD)ASD) or archival storage.

Zone 5:
From the processor to the authorization and settlement centers of the card brand or issuer.

"Monday's successful test involved Zones 1, 2, 3 and 4," detailed Steven M. Elefant, Heartland's executive director of end-to-end encryption. "We believe that protecting data in these zones alone will significantly impact the protection of cardholder data.

"In Q4, Heartland expects to enhance protection in Zone 3," Elefant continued. "Protecting data in Zone 5 is contingent on the card brands. We are in active discussions with several of the brands, and our conversations have been very positive. Some card brands have indicated a willingness to pursue accepting transactions from those processors who send encrypted data. While we work on Zone 3 and collaborate with the brands on Zone 5, the next phase of this pilot project involves integrating a set of security-protected chips which we expect will further safeguard the data throughout the lifecycle of the transaction. Heartland plans to pilot this next phase in Q309."

"We plan to continue to expedite the development of E3 and launch it commercially late this year," Carr concluded. "We also plan to continue working with the ANSI ASC X9 Committee which is crafting an end-to-end encryption standard and follow that standard as much as practical. We are also working with established US equipment and software manufacturers to implement their TRSM devices into our E3 approach as soon as possible. We believe the marketplace will accept this higher level of payments security and are willing to share our knowledge and learnings with all industry stakeholders via the Payment Processors Information Sharing Council, FS-ISAC and Secure POS Vendor Alliance organizations."

Comments: (0)