Industry’s Tenuous Hold on Security
August 12, 2009 The news out of Princeton, NJ is a stark reminder of just how big a problem card data security has become.
Heartland Payment Systems, which by most accounts ranks as the nation’s sixth largest card processor in the U.S., took a $2.6 million loss (or 7-cents a share) for the second quarter because of a $19.4 million charge against earnings to settle claims and legal fees related to the massive security breach it uncovered in January. Compare this to figures for the same quarter last year, when Heartland reported an $11.5 million profit, or 30-cents per share.
Card data security ain’t cheap folks. It ain’t easy, either. And if the industry doesn’t make some real changes soon, their hands may be forced to by retailers. Visa and its compatriots on the PCI Council would have us believe data security is as simple as abiding by the PCI Data Security Standards.
But as Heartland, and more recently Network Solutions Inc. discovered, to their horror, the PCI standards aren’t up to the task at hand. At best, they are a first step.
“PCI is nothing more than an elaborate patch,” wrote Dave Hogan, CIO at the National Retail Federation (NRF), in an NRF technology blog entry August 5. Echoing testimony he gave before Congress earlier this year, Hogan continued: “While PCI can reduce some fraud – at extraordinary cost – it is not nearly as effective as a redesign of card processes themselves.”
(The entire blog entry is available at: http://blog.nrf.com/2009/08/05/pci-compliant-you-are-until-they-say-you%E2%80%99re-not/. It’s worth reading if for no other reason than to get a better fix on where retailers are coming from on this issue.)
Hogan’s comments were written in response to news of the Network Solutions breach. A name that is practically synonymous with the Internet, Network Solutions, among other things, provides a full-suite of e-commerce solutions for thousands of smaller merchants. In this capacity, the company regularly relays card transaction data to merchant processors.
I asked this question recently in a column published by the Green Sheet, and it bears repeating here: How many of these high-profile, high-cost breaches must we as an industry experience before the card companies get serious about and improve card data security requirements? (http://www.greensheet.com/gsonline_pdfs/090702.pdf)
Outside of Visa, MasterCard and the PCI Council, a lot of folks (including Heartland CEO Bob Carr and NRF’s Hogan) are pushing for tougher measures, like card data encryption. Last week, Hogan was quoted in a press release from Electronic Payment Exchange, a Wilmington, DE-based payments processor for large retailers and banks.
EPX was announcing a new end-to-end payment solution that incorporates both tokenization and encryption. The company’s trade marked technology, known as BuyerWall, protects data from the moment a card is swiped at the point of sale.
(A bit of background: Encryption built into POS hardware and software protects against potential breaches before card numbers enter into the authorization process by immediately encoding data captured from the mag stripe. Tokenization is the process by which card account numbers get converted to random alpha-numeric gibberish. Combined, these two processes are supposed to render it practically impossible for hackers to capture card numbers in transit, and eliminate any need for merchants to store card numbers in their POS systems or databases.)
"Protecting consumer's credit card data against today’s professional hackers is a challenge for all merchants. EPX's announcement of a solution that offers both end-to-end encryption along with tokenization is going to be well received by the entire retail industry," Hogan stated in a press release EPX sent out today.
Sounds to me like the retailers have spoken. I wonder how the card companies will respond?
Patti Murphy
