PRINCETON, NJ -- Heartland Payment Systems
has reported the successful conclusion of the first phase of its massive "end-to-end" encryption initiative. Heartland, one of the nation’s largest payment processors, long has been critical of what it regards as lax data security standards for credit and debit cards.
The first step involved applying "live" AES (Advanced Encryption Standard) for the transmission of transactions from a merchant to Heartland’s processing platform. AES provides the highest level of encryption available today, and is on track to replace the existing DES and Triple DES (Data Encryption Standards) as the desired encrypting scheme for sensitive information.
Heartland chairman and chief executive Robert O. Carr said that, as far as he knows, this is the first time encrypted transactions have been sent from a merchant's card reader to and through a major processor’s payments network.
Carr explained that to date cardholder data typically have not been encrypted before leaving the merchant terminal; it has been encrypted either when it’s "tokenized" at the gateway, or after it has been received and stored in the processing platform’s data warehouse. "This means cardholder data in transit is at risk of being compromised, should it get into the hands of cybercriminals or hackers via such methods as network or ‘memory sniffer’ malware," he noted.
In order to protect data throughout the lifecycle of a credit, debit or prepaid card transaction, Carr continued, Heartland is developing end-to-end encryption (E3) technology designed to encrypt the transaction from the initial "card read" right through the network and transmission to the card brands.
For Heartland, this E3 protection involved five "payment zones." In the first, information is protected from the "card read" or other data entry at the merchant terminal to the processor’s authorization network. In the second, it is protected from its entry into the authorization network and through all the points at which it moves across the networks of the processor and its subcontractors. In the third, it is protected while it resides in a central processing unit or a host security module (HSM). In the fourth, protection is provided to data in any direct-access storage device or in archival storage. And, in the fifth, it is protected from the processor to the authorization and settlement centers of the processor and its subcontractors.
Heartland's executive director of end-to-end encryption, Steven M. Elefant, reported that the successful test involved the first four of these five zones. "We believe that protecting data in these zones alone will significantly impact the protection of cardholder data," he said. Elefant added that the company expects to enhance protection in Zone 3 in the fourth quarter.
"Protecting data in Zone 5 is contingent on the card brands," the Heartland encryption expert continued. "We are in active discussions with several of the brands, and our conversations have been very positive."
Carr reported that Heartland plans to continue expediting the development of the E3 system, and to launch it commercially late this year.