Heartland's Carr on U.S. Card Security ShortcomingsCalls for Widespread Use of Encryption, Tokenization
Bob Carr, founder and CEO of Heartland Payment Systems, contends that not enough progress has been made in improving payments security in the seven years since his processing firm experienced a massive breach.
He offered that harsh assessment in his keynote address at Information Security Media Group's Data Breach Prevention & Response Summit Oct. 21 in New York.
"Without tokenization and end-to-end encryption, payment data will still be vulnerable to attack and compromise."
Carr's perspective may come as a surprise, given the massive investments U.S. banking institutions, payment processors and retailers are making to ramp up their adoption of EMV technology - a chip-payment technology that is far more secure than the standard magnetic stripe that has for decades reigned in the U.S.
But during his keynote address, Carr said EMV alone is far from enough. Without tokenization and end-to-end encryption, payment data will still be vulnerable to attack and compromise.
Heartland's Security Lessons
It's a security lesson Carr learned the hard way back in 2008, after Heartland's network was breached, leading to the compromise of some 130 million credit and debit cards (see Heartland Data Breach: TJX Hacker Indicted for Crime).
Heartland's breach cost card issuing banks and credit unions about $500 million, Carr said. The processor ultimately settled with the card brands and paid impacted banking institutions a collective $150 million for the fraud and losses they suffered, he added.
If the same type of processor breach were to occur today, Carr said the cost to banks and credit unions would likely be billions of dollars, and there's no way Heartland, or any other processor or retailer, could afford to pay issuers the full amount to cover that cost. And even with the widespread use of EMV, much of the same information that was breached in the 2008 Heartland attack, such as personal account numbers, expiration dates and service codes, could still be breached, he added.
That's a disheartening realization, given the massive investments the U.S. payments ecosystem is making to adopt EMV. But it's why Carr believes merchants have to deploy tokenization, encryption at the terminal level, as well as end-to-end encryption, which must be provided by processors, to ensure that card data is fully protected.
Until that happens, card data is still at risk, he contended.
Eduardo Perez, senior vice president of payment risk for Visa, offered a similar message in his keynote address at our Fraud Summit New York on Oct. 20. While Visa is not mandating that merchants invest in tokenization and encryption, the card brand is highly recommending it.
How Much Can Merchants Afford?
Of course, spending more for card security is a sore spot for merchants, especially given the challenges they already face implementing EMV.
At an Oct. 21 House Small Business Committee hearing about the EMV migration's impact on smaller merchants, Jared Scheeler, managing director of The Hub Convenience Stores, testified that small businesses have essentially had their hands tied behind their backs when it comes to reducing card fraud. He argued the card brands are to blame (see Is EMV Bad News to Small Businesses?).
"It does not appear that the card companies took into consideration the realities of operating a small business when they came up with their [EMV] transition plans," Scheeler testified. "In addition to the substantial time and money involved, the card companies have erected considerable obstacles that restrict my ability to reduce payment card fraud at my stores."
Scheeler, who owns four convenience stores in North Dakota, says the card brands failed to consider the impact restrictions in franchise agreements and upgrade downtime would have on small merchants' EMV migration plans. Hub, which franchises some of its stores from ExxonMobil, cannot become fully EMV compliant across all of its locations until Oct. 1, 2016, the date ExxonMobil has set for in-store point-of-sale terminal upgrades.
"ExxonMobil has not yet implemented EMV technology in their card-processing network," Scheeler told the committee. Because Hub processes its card payments through ExxonMobil, it can't fully make the EMV shift until the giant oil company is ready.
Although Hub began its EMV migration last year, none of its four locations has been able to even get its POS hardware and software ready to go. "It took 16 weeks just to receive the necessary hardware," Scheeler said. "While hardware has been a major expense, it is only the beginning. None of our stores have gotten their necessary software upgrades - and we can only proceed with the next steps in the EMV transition process after that happens. Then, we move onto what may be the biggest stumbling block - getting technicians to program the new equipment according to card company specifications and getting certification."
All four major U.S. card brands - Visa, MasterCard, American Express and Discover - require separate certifications, a sticking point also noted this week by Liz Garner, vice president of the retail association the Merchant Advisory Group, at our New York Fraud Summit. Finding techs that know each card brand's specifications has proven challenging, especially for smaller merchants, who often get pushed to the back of the line, she says.
Small Business Burdens
As small businesses struggle to jump the EMV adoption hurdle, the last thing they want to think about now is tokenization and encryption, even though many of them want this technology. Many small businesses fear investing in tokenization technologies that are not standardized. And they argue that finding processors that offer end-to-end encryption has proven challenging.
I learned at the annual National Association of Convenience Stores convention earlier this month that some processors are asking small businesses to either pay additional fees for end-to-end encryption - or they're not even offering the service (see EMV: C-Stores Have Long Way to Go).
With the big investments they're already making in EMV, small merchants definitely don't want to take on additional fees.
I agree with Carr that merchants and processors need more than EMV, and I hope that other processors follow Heartland's lead and make end-to-end encryption cost-effectively available to their small-merchant customers. But we all have to be realistic about the financial burden being placed on these retailers for migrating to EMV. How much more can we expect them to do at their own expense?