Heartland Shares Lessons Learned from Its Data Breach

Heartland Payment Systems has gone from data breach victim to card data security expert. Although the card payment processor suffered a data breach in late 2008, lost 50 percent of its market cap shortly thereafter, and spent more than $32 million in legal fees, forensic costs, reserves for potential card brand fines and other related settlement costs, it has since designed and implemented an end-to-end encryption system that puts it ahead of many of its peers in terms of data security. Details about the breach and Heartland's data security efforts since then are described in a paper the Federal Reserve Bank of Philadelphia released this week on lessons learned from the Heartland data breach. (At Bank Systems & Technology's Executive Summit last year, Kris Herrin, CTO of Heartland Payment Systems, did a video interview about his company's security efforts that can be viewed here.)According to the paper, the method used to compromise Heartland's data was SQL injection. "Code written eight years ago for a web form allowed access to Heartland's corporate network," the report states. "This code had a vulnerability that (1) was not identified through annual internal and external audits of Heartland's systems or through continuous internal system-monitoring procedures, and (2) provided a means to extend the compromise from the corporate network to the separate payment processing network. Although the vulnerability existed for several years, SQL injection didn't occur until late 2007. After compromising Heartland's corporate network, the intruders spent almost six months and many hours hiding their activities while attempting to access the processing network, bypassing different anti-virus packages used by Heartland. After accessing the corporate network, the fraudsters installed sniffer software that was able to capture payment card data, including card numbers, card expiration dates, and, in some cases, cardholder names as the data moved within Heartland's processing system. The fraudsters' focus on compromising data as they moved within Heartland's network - data in transit - rather than when they were stored in consumer databases - or, in other words, when data were at rest - was a relatively new phenomenon." A similar data-in-transit breach occurred earlier in 2008 at Hannaford Brothers, the paper notes.

Heartland's response to this intrusion has run along two lines: efforts to promote better information sharing among companies that perform PCI audits and that act as response investigators, and technologies to improve data security.

Heartland considered three types of data security - end-to-end encryption, tokenization and chip technology - and in the end settled on end-to-end encryption as the best method. The payments company has helped design a tamper-resistant security module that fits in a merchant's POS terminal and encrypts PIN numbers as they're entered. It costs merchants $300 to $500. Data is decrypted only after it's been received into Heartland's hardware security modules and when required by the card brands to enter their authorization networks.