Rethinking the Fortifications: Q&A With Heartland CIO Steven Elefant
Following a breach of its computer systems a year ago, Heartland Payment Systems, one of the five largest payment card processors in the United States, came under considerable pressure to strengthen its IT security, and it's been embroiled in several lawsuits because of the breach.
In January 2009, hundreds of thousands of business owners were stunned when Heartland announced its systems had been breached. Heartland's services include card processing, payroll services, check management, online payments and micropayments. It served about 250,000 business locations and processed about 4 billion transactions every year at the time, according to its Web site.
Heartland's systems were breached the previous December, but the company did not detect it until it was notified by MasterCard and Visa, who had received complaints from cardholders of spurious charges rung up on their accounts. The fallout led to class action suits and a lawsuit from American Express.
Payouts are not the only pain Heartland is suffering from the lawsuits. The settlement of the class actions includes a requirement that Heartland submit the report of an independent expert on its actions and pledge to enhance the security of its computer systems. Further, news of any more breaches could well drive card issuers and other customers into the arms of its competitors and possibly elicit the wrath of the relevant regulatory authorities.
Probably the only bit of good news -- if it could be described as such -- is the fact that the hacker charged with cracking Heartland's systems, Albert Gonzalez, is allegedly an expert cybercriminal, not just an average hacker, indicating a high level of expertise was needed to crack into Heartland's systems.
The pressure now placed on Heartland has forced the processor to revamp its systems. The company's CIO, Steven Elefant, spoke with TechNewsWorld to discuss what his company has done to improve security.
TechNewsWorld: Since the break-in into your systems in December of 2008, have you done anything to further secure your IT systems?
Steven Elefant: Yes, we've made a few positive changes.
TNW: What can you tell me about what you've done without disclosing crucial details about your security?
Elefant: We've introduced an end-to-end encryption program, what we call "E3." When data leaves the mag stripe on a card after the card gets swiped on a terminal and is converted from analog to digital form, we encrypt it.
We have the transaction completely encrypted using Voltage's security and strong AES encryption right through the rest of the transaction through the terminal, over the wires and to our processing center. There's never a time outside a hardware security module that there's clear text information exposed anywhere throughout the process.
That's a radical new way to do things in the credit card industry -- up to now, everything has been sent in clear text. For most people, when they talk about end-to-end encryption, they're really talking about point-to-point -- so the data may be secure from a terminal to a gateway, or from a gateway to a processor, but unless it's truly protected from the time a card gets swiped to the end when it's on your back-end processors, it's not safe.
Background: Voltage Security uses a technology it calls "Format-Preserving Encryption," or FPE. This encrypts data in databases and applications without changing the format of the original structured information, unlike standard encryption methods that alter the original format of data.
The drawback to changing the data format is that the data schema are changed and so are application.
It's easier to make mistakes when such changes are made. It also costs more to encrypt and then decrypt data when its format is changed.
FPE is a mode of standard AES that's recognized by the National Institute of Standards and Technology (NIST). AES, the Advanced Encryption Standard, is the first publicly accessible and open cipher approved by the National Security Agency for top secret information. It is used by the U.S. government.
TNW: How does the Voltage solution work for you?
Elefant: We now can have strong AES encryption where we're encrypting the tracks around the card -- tracks 1 and 2. This works both on a terminal and a wedge that you can plug into a point-of-sale system. They have tamper-resistant modules where if you try to open up or drill into the terminal or the wedge, they will render the key inoperable.
Credit cards have three tracks, and these have more information about you than what's put on the front of the card. The terminal is the point of sale terminal; a wedge is a magnetic stripe reader. The wedge is velcroed on the side of a monitor or on the counter at a retailer's. It plugs into a USB port that talks to point-of-sale software.
TNW: As you know, iPods and iPhones are great data storage devices, and people have plugged them into point-of-sale terminals to steal data. Can people steal data by doing this now that you're using Voltage's end-to-end encryption?
Elefant: Data from the credit card's encrypted when the card's swiped so, even if the data is stored in the merchant's terminal, it's fully protected. The only thing that talks to the wedge or the point-of-sale system is the security-encrypted module. There's no way to get that data.
TNW: Encrypting data is like building a wall, and you know what happened in World War II with the Maginot Line -- the Germans just went right around it. Wouldn't criminals be able to do an end-run around the encryption?
Elefant: Voltage is one part of our security solution. We have what I'd term a 1-2-3 punch.
One is what I term "dynamic data authentication" -- we use different technologies to fingerprint the magnetic stripe, as it were, or use a chip and pin to authenticate the card. This cuts down the creation of fraudulent cards.
That's paired with end-to-end encryption.
On the back end, we have post-processing tokenization. When we get the transaction securely, we tokenize it and send back a token to the merchant so they never have to see a card number for settlement or handle back-end processing like crediting purchases. We take the time and data and specific information that we have and create a secure, unique token. There's no way to reverse-engineer the card number from the token.
TNW: Are you doing other things like live log tracking? There are systems available which alert IT immediately when there's a breach attempt or a system has been breached?
Elefant: Yes we do, and we did at the time of the breach, but the sophistication of hackers is quite significant. The bad guys are getting smarter and smarter. We can build firewalls and intrusion detection systems higher and higher, but these are organized criminal gangs we're dealing with, not 14-year-old hackers.
Although we'll do our best and expend a great deal of resources in trying to keep them out, we'll have to assume they'll get in. That's why we've introduced our end-to-end encryption program.
One of the security agencies we've been spending a lot of time with in Washington takes the same approach. When the President wants to talk to anyone through a secure channel, the agency encrypts it because it assumes people will get through their defenses.
We add layer upon layer of security to make it as secure as we possibly can. There's no such thing as a silver bullet, but we try to get as close to that as we can.
TNW: You feel very confident in your approach to security?
Elefant: Heartland has never shied away from security; there's never been a single hardware or software or full-time employee request for security that's been turned down. We have 300-plus IT pros that live and breathe security every day.
We've also started several organizations, including the PPISC -- Payment Processing Information Sharing council. We now have 13 of the top 15 payment processors in the U.S. on the PPISC, and that represents over 75 percent of the transactions in the U.S.
We've invited all our competitors to join us and share information. We want to make sure that not only does this not happen to us again but that it doesn't happen to anyone else either.
We've provided tools to our competitors that are not offered by any security vendors to let them search for malware. We had our last meeting in the fall in Washington, and we found 350 pieces of malware that standard security software didn't detect.
We've included a number of different resources in PPISC, and we've been working closely with law enforcement. Also we've got the Secret Service to share specific malware and IP addresses of active cases they're working on.
We also founded the Secure Remote Payments Council. [*Editor's Note - Feb. 1, 2010] This focuses on creative solutions for non-face-to-face card purchases or cases where card purchases come in from Web sites over the Internet.
We have a number of major players in the industry, such as debit networks and hardware processors, and we've tried to create some standards around end-to-end encryption.
We've also sponsored an initiative with ANSI, and there's a working standard being developed -- X9.119 -- for end-to-end encryption.
TNW: You're joining hands with other organizations and companies because the criminals don't believe in borders, and that's one of the things that makes them so difficult to track and stop, yes?
Elefant: Analysis and defense against threats shouldn't be a competitive differentiator, and that's something the good guys have to share, so we bring in law enforcement, the processing community, brands, ISACs and the PPISC, which works closely with intelligence and the Department of Homeland Security and law enforcement.
We also work with several ISACs -- Information Sharing and Analysis Centers.
The bad guys are very good at sharing information -- they have hacker conventions and Web sites -- and the good guys aren't very good at it. We believe that identifying threats should not be a competitive differentiator, but how you react to them may be one.
*ECT News Network editor's note - Feb. 1, 2010: Heartland is a founding member of the SRPC but NOT the founder, noted spokesperson Leanne Scott Brown, who contacted ECT News Network on Feb. 1 to clarify Steve Elefant's comment.