Heartland, After The Hacking

The data breach at Heartland Payment Systems was a disaster for the company. But after picking up the pieces, the company is looking ahead to a more secure future.
"We firmly believe that knowledge of security threats should not be viewed as a competitive advantage," said Elefant, adding, "The good guys need to create a different mindset and a different culture."

Heartland also believes in encryption. Following a pilot test started in June, the company expects to roll out end-to-end, or data field, encryption for its payment processing network before the end of the year.

"The idea here is to render the data unusable," said Elefant. "If the bad guys get in, that data is not going to be useful for them."

Elefant's message about the virtues of encryption can be heard elsewhere too. On Monday, Visa released a set of guidelines for implementing data field encryption.

"While no single technology will completely solve for fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," said Eduardo Perez, global head of data security at Visa in a statement.

Heartland has also taken to manufacturing its own payment terminals because none of the existing payment terminals were sufficiently secure, said Elefant.

Heartland's E3 terminals implement an identity-based encryption scheme that generates new cryptographic keys every day, to avoid situations where a terminal's hardware key is compromised and any subsequent data is accessible.

"We feel this is the direction that the industry really needs to go," said Elefant.

And that direction leads to a security model that includes both hardware and software. "We fundamentally believe there is no such thing as safe software anymore," said Elefant.

Elefant also supports harmonizing international laws on cybercrime. Although Albert Gonzalez of Miami, Fla., was indicted for hacking to Heartland and many other companies in August and later that month pleaded guilty, Elefant says that the criminal gang behind the attack remains out of reach overseas.

"We know exactly who are the people in Russia who came after us, but the Secret Service can't go after them because they're in Russia and they're unassailable," he said.

Elefant believes the industry needs to work together to make security a priority. "It takes time to make changes," he said. "The perfect storm is happening right now."

Get all the data from this year's InformationWeek 500 survey free for a limited time. Our report examines business and technology best practices as well as IT investment trends among the nation's most innovative IT users. It also provides industry comparisons against which you can benchmark your company's strategies. Download the report here (registration required).

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading