The second Keynote speaker for the ATM, Debit & Prepaid Forum 2009 was Robert O. Carr, Chairman and CEO, Heartland Payment Systems. Proud of their reputation for full disclosure with merchants, they had to put it to the test with their Jan 20, 2009 announcement of their data breach.
PCI compliance is intended to target data at rest. One of the things that changed after the Hannaford payment breach announced in March 2008, and also in the Heartland example is that the criminals targeted data in-motion. Additional potential techniques for added security include:
- Chip & PIN
- End-to-end encryption (E3)
- Dynamic Data Authentication
Heartland has shown an interest in end-to-end encryption with Voltage and dynamic data authentication. Visa recently published new global industry best practices for data field encryption (see Payments News post here).
Interestingly Heartland is not pursuing tokenization, which has gained traction in some merchant environments. Tokenization is one of several approaches used by merchants to avoid handling and storing a bankcard PAN (primary account number). The merchant uses a token or hash of the PAN to represent the customer in their systems. Should they need to identify the card information, the token provider can decode the token. This approach is best suited to protecting long-term data storage of card data and is already in use at a number of major merchants particularly to support their understanding of customer purchases for loyalty programs.
Who better to lead the charge for End-to-end encryption? Heartland has developed a framework and a strategy for E3. They have been working with American National Standards Institute to support standards and FS-ISAC to support anonymous sharing of data amongst competitors. The cost of their data breach experience should provide other companies justification to invest in new technologies and approaches to protect cardholder data.