Heartland Comes Out Swinging After Data Breach

In the months following the disclosure of what may be the largest data breach in US history, Robert O. Carr, chairman and CEO of Heartland, has come out swinging. Instead of going into a near-death spiral of damage control mitigating the revelation that 100 million customer records leaked during 2008, Carr has been pointing the finger at the payment industry itself for not going far enough with best practices. Heartland has taken advantage of several merchant associations to promote new initiatives that could revolutionize the payment card industry beyond PCI DSS compliance.

Carr has been quite frank when talking about the breach itself, as opposed to the relative silence from TJX after its data breach back in 2007. Heartland said early on that they believed someone placed a listener program in the stream where data in motion was not encrypted. When the Payments Processing Information Sharing Council (PPISC) met for the fist time this week in St. Pete Beach, Florida, Carr took the unusual step of handing out USBs with the malware code found on the Heartland system at the time of their breach as well as malware discovered through other data breach investigations in 2008 and 2009 so other payment processors could look for malware on their own systems. Carr said in his Q1 2009 Earnings Call on Thursday that other industries share security information like this, why can't the card processors?

Additionally, Heartland is in the process of developing a true end-to-end (E2E) encryption solution for its merchants. What's different is that Heartland wants to be the first payment processor to ensure that data remains encrypted all the way from the point of sale through the processing by the card company. Currently, processors must unencrypt customer credit card data on the last step due to legacy systems in place the card companies. Heartland hopes to offer their E2E service in the third quarter of this year.

Finally, Carr has been most outspoken against his competitors, some of whom he says tried to use the data breach against Heartland. There were serious repercussions from the breach: Both Visa and MasterCard removed Heartland from their lists of PCI DSS-certified processers, and at least MasterCard also imposed a hefty fine on banks using Heartland. The company also faces a class action lawsuit. Separately, Carr himself is under investigation from the SEC regarding a stock sale he made late in the 2008.

Last week, Heartland, which processes card data primarily from restaurants, gas stations, and hotel, was certified again as PCI DSS compliant by Visa, MasterCard, and Discover. "We hope that this will end once and for all the host of falsehoods and misleading statements that a few competitors have been using, admittedly with some success to scare merchants into leaving Heartland," Carr said in the earnings call.

Robert Vamosi is a risk, fraud, and security analyst for Javelin Strategy & Research and an independent computer security writer covering criminal hackers and malware threats.