The Heartland Payment Systems breach has had a big impact, albeit not a transformational one, on the state of data security because it forced all of the key players from government, payments and retail to collaborate on the creation of better solutions.
Today, payments processors and vendors are challenging themselves to innovate faster than cybercriminals, and as bad as it was for Heartland and all of the people affected by the breach, we have seen some forward progress.
Heartland recently made headlines with news about its new end-to-end encryption capabilities (you can view Heartland CEO Bob Carr's June 10 interview with SC Magazine's Dan Kaplan on the topic).
While this is definitely a step in the right direction for small and midsize retailers, also known as Level 3 and 4 merchants, several factors that play into data protection in the payments environment must still be addressed for large retailers (Level 1 and 2 merchants).
System interoperability and encryption transparency are among the most imperative issues that the industry must tackle. Add social engineering and poor user security habits to the mix, and it is clear that there is no single solution to the problem.
The Heartland beach and Heartland's subsequent end-to-end encryption program have forced a closer inspection of the total flow of card holder data through the payment process.
Heartland has improved the security profile, yet large parts of the overall flow are still vulnerable to attack. These include the points when data is funneled through central merchant headquarters, the settlement request and bank transfer.
The complete end-to-end protection process is very comprehensive, starting at the point of swipe, continuing through to the payment processor for the authorization request, and ending with the final settlement. And there are close to a dozen additional touch points in between. Hackers will always move to points in the flow with the lowest resistance. This is why it is so critical that consistent, strong protection be applied evenly throughout the entire process.
In addition to factoring all points in securing the flow of sensitive data, chief security and compliance officers also need to consider the following issues:
- Interoperability: Encryption algorithms, FIPS 140 equipment and key management solutions that are based on industry standards will be necessary to facilitate the sharing of sensitive information across the different stakeholders in the complete payments process. Standardization is going to require a central body to initiate and arbitrate trust between participating organizations and individuals alike, and could be an excellent opportunity for an established player within the payments ecosystem (retailer, payment processor or vendor) to lead the way.
- Protect the card: The beginning of a comprehensive end-to-end solution must always start with protecting the card. Approaches such as EMV smartcards, for example, remove the payment processor from the equation by giving the merchant a direct relationship with the issuing bank. The challenge is that approaches like this need to have wider adoption to make a sustained difference.
- Tokenizing to reduce audit costs and risk: Tokenization is an emerging data security method that is closely related to encryption, but approaches the problem from a slightly different angle. Instead of encrypting the data in a reversible fashion, tokenization assigns a value that is only associated with the "real" data in a well-protected lookup table. As merchants and credit card processors continue to struggle with securing cardholder data, many of them are increasingly using this approach to help reduce the scope of their risks. With the allure of easier deployment and smoother interaction with applications, tokenization's biggest draw is the fact it can dramatically reduce the need for costly PCI audits.
Taking into consideration these factors, I don't see one silver bullet to answer the payment industry's data security problems. Rather, a combination of changes needs to happen that focus on safeguarding data in every part of the payments data flow.
I think we are getting closer to where we need to be, but we can never rest on our laurels, as history has taught us that the criminals will always be nipping at our heels.