Heartland Payments Systems has announced it will offer end-to-end encryption to its merchants for their payment card processing after last year's hack attack that may have compromised more than 100 million card accounts. The company still does not know how many accounts were affected by the data breach, reports Wired.com's Threat Level blog.
Heartland has embraced end-to-end encryption because it had to after last year's debacle, says Bank Info Security.
Heartland is raising the bar in retail payments security by bringing end-to-end encryption to its network. It will be expensive and a big logistical challenge to execute, but the company has little choice other than to take a security leadership role on the heels of its near-catastrophic data breach last year, says Tom Wills, senior analyst, Security, Fraud & Compliance, Javelin Strategy and Research. He compares Heartland's situation and action to the Israeli airline El Al's actions to bolster its security processes. "El Al, after it suffered repeated hijackings in the 1970s, went on to become the world's most secure airline. Heartland will need to do the same thing in the acquiring industry to regain the credibility it has lost," Wills notes.
The question now will be whether or not end-to-end encryption will catch on. The players in the payment card industry are resistant to change, notes Wills, while Avivah Litan, a distinguished analyst at Gartner Group, tells Bank Info Security that it will be difficult to get merchants to upgrade their card terminals and that there will have to be good key management practices if the encryptions are based off of personal identification numbers.
Adil Moussa, a payment card industry analyst at Aite Group, says that now it's cheaper for companies to weather a data breach rather than invest in end-to-end encryption. When that changes or more companies suffer from a big breach like Heartland, he says, then more investment will pour in for conversion to end-to-end encryption.
The hack attack has already cost the Princeton, New Jersey-based Heartland $12.6 million in damages, which includes fines from Visa and Mastercard for not adhering to the payment card industry's rules known as PCI Data Security Standard. Visa responded to Heartland's announcement of the breach in January by taking the company off its preferred payment processor list in March. The company, however, was recertified and placed back on Visa's PCI-compliant list on April 30.