PRINCETON, N.J. -- (BUSINESS WIRE) -- Heartland Payment Systems (NYSE:HPY), one of the nation’s largest payment processors, today is introducing Heartland Secure™ – a comprehensive credit/debit card data security solution that combines three powerful technologies working in tandem to provide merchants with the highest level of protection available against card-present data fraud.
Featuring a breach warranty, this innovative solution is designed to provide merchants with protection against point-of-sale (POS) intrusions, crimeware, miscellaneous errors, insider misuse and other common sources of card-present data fraud by eliminating the opportunity for criminals to monetize card data.
Offered to Heartland customers for no additional processing fees as part of Heartland’s comprehensive solutions, Heartland Secure combines:
“Security breaches against large retailers like Target and Neiman-Marcus get most of the publicity, but there were more than 679 data security incidents reported in the retail and accommodation merchant sectors in 2013, and 285 of them involved confirmed data losses,” said Robert O. Carr, chairman and CEO of Heartland Payment Systems. “Unfortunately, the real breach numbers may be much higher, and the FBI believes we can expect more credit card breaches in the US. We designed Heartland Secure as a security solution for customers using POS and other card-present processing methods.”
On January 17, the Federal Bureau of Investigation (FBI) sent a confidential, three-page report to retail companies warning them to prepare for more cyber attacks based on their discovery of roughly 20 hacking cases that involved the same type of malicious software used against Target last December. The FBI cited the accessibility and affordability of malware on underground forums and the huge potential profits to be made from retail POS systems in the United States as factors that make this type of cyber crime attractive to a wide range of cyber criminals.1
Based on data provided by the Open Security Foundation and RiskBased Security, the Online Trust Alliance’s (OTA) 2014 Data Protection and Breach Readiness Guide2 states that more than 823 million records were exposed in 2013, including credit card numbers, email addresses, log in credentials, social security numbers and other related personal information. OTA estimates that 37 percent of these breaches were the result of actual hacks, and another 31 percent were due to lack of internal controls, which enabled accidental or malicious events.
According to the Verizon 2014 Data Breach Investigations Report3, 2013 could be characterized as “a year of transition from geopolitical attacks to large-scale attacks on payment card systems.” The report also said 2013 would be remembered as the “year of the retailer breach.” POS intrusions accounted for 31 percent of the retail breaches where data was confirmed stolen, with payment card skimmers accounting for another six percent. POS intrusions accounted for 75 percent of the confirmed-stolen accommodation sector breaches.
“Most small businesses simply aren’t aware of the extent of data security breaches, or the potential liabilities,” said Michael English, executive director, Product Development, for Heartland Payment Systems. “Damage to brand reputation can be devastating, and the fines can be astronomical if a company is out of compliance with Payment Card Industry (PCI) Data Security Standards (DSS). One large retailer was assessed more than $10 million in fines for a 2010 network intrusion, and more than one small company has gone out of business facing hundreds of thousands of dollars in fines.”
How Heartland Secure Works
Heartland customers have benefitted from E3 and tokenization for a number of years, with EMV acceptance enabled within the last 12 months. Based on their respective success, the company has combined them into a seamless end-to-end security option called Heartland Secure. Here’s how it works.
EMV chip cards fight fraud at the physical point of sale by verifying that the presented card is genuine. The smartcard chip contains dynamic data that is validated in a more secure manner than the static data of a magnetic stripe, which makes the card data harder to counterfeit. Heartland’s new POS systems are capable of processing EMV cards, which will be a required standard in the U.S. for most businesses by October 2015. Noncompliant merchants will bear all financial liability for all fraudulent transactions.
E3 encrypts cardholder information at the earliest point of the transaction – at card swipe, key entry, tap or insertion – so that it is never in readable form to crimeware programs. Terminals and customer card entry devices carrying the E3 brand are PCI SRED approved or feature a tamper-resistant security module housed within the terminal, reader or pin pad so that the device can’t be converted into a skimming instrument. Card information is always encrypted, and is never transmitted or stored in a useful form. So even if a hacker got the information, it is meaningless and of no usable commercial or financial value.
Coalfire Systems, a Payment Card Industry (PCI) Qualified Security Assessor (QSA), performed an independent security assessment of Heartland’s E3 end-to-end encryption terminal. They found E3 to be one of the most effective data security controls available to merchants today, able to reduce the scope of PCI compliance by up to 79 percent, minimizing the merchant’s cost of PCI compliance assessment and validation. Coalfire also stated that E3 provides a true “end-to-end” solution for merchants with no need to decrypt data before the handoff to the processor. For more information on Coalfire’s assessment of E3, visit http://www.heartlandpaymentsystems.com/E3-Secure/Coalfire/E3-Terminal.
Tokenization protects card data after a transaction is authorized by substituting a token for a card’s number. If a system is compromised and tokens are taken, they have no real value in the outside world. According to PCI-DSS, tokenization is the most effective way of minimizing the PCI compliance footprint. It also offers merchants the peace of mind that they are storing no customer credit or debit card information on their computer system usable by outside parties.
“There is no single technology solution to payment transaction security,” said Carr. “EMV, E3 and tokenization are all good security technologies individually, but combined in the Heartland Secure system they operate together to place usable card data out of the reach of data criminals. In short, Heartland Secure eliminates the monetization of card data as a result of skimming, POS intrusions and ‘man in the middle’ attacks while reducing a merchant’s PCI compliance costs and worries.”
Exclusive: FBI warns retailers to expect more credit card breaches http://www.reuters.com/article/2014/01/24/us-target-databreach-fbi-idUSBREA0M1UF20140124
OTA 2014 Data Protection and Breach Readiness Guide https://otalliance.org/resources/incident/2014OTADataBreachGuide.pdf
Verizon 2014 Data Breach Investigations Report: http://www.verizonenterprise.com/DBIR/2014/
About Heartland Payment Systems
Heartland Payment Systems, Inc. (NYSE:HPY), the fifth largest payments processor in the United States, delivers credit/debit/prepaid card processing, mobile commerce, e-commerce, marketing solutions, security technology, payroll solutions, and related business solutions and services to more than 275,000 business and educational locations nationwide. A FORTUNE 1000 company, Heartland is the founding supporter of The Merchant Bill of Rights, a public advocacy initiative that educates merchants about fair credit and debit card processing practices. Heartland also established The Sales Professional Bill of Rights to advocate for the rights of sales professionals everywhere. More detailed information can be found at HeartlandPaymentSystems.com or follow the company on Twitter@HeartlandHPY and Facebook at facebook.com/HeartlandHPY
This press release contains statements of a forward-looking nature which represent our management’s beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors, including risks and additional factors that are described in the Company’s Securities and Exchange Commission filings, including but not limited to the Company’s annual report on Form 10-K for the year ended December 31, 2013. Given these risks and uncertainties, prospective and current investors are cautioned not to place undue reliance on such forward-looking statements. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this release.