Heartland CEO On Why Retailers Keep Getting Breached

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/attacks-breaches/heartland-ceo-on-why-retailers-keep-getting-breached/d/d-id/1316388


Heartland Payment Systems chairman and CEO Robert Carr could be considered
a rare breed of executive these days. He's been outspoken about the massive
data breach the firm suffered on his watch in 2008 that exposed 130 million
US debit and credit card accounts -- the largest breach ever recorded at
the time. And in a new breach era when some corporate executives such as
former Target CEO Gregg Steinhafel have lost their jobs over high-profile
breaches, Carr is still firmly at the helm of the payment processing firm.

Carr led Heartland's adoption of technologies like end-to-end encryption,
tokenization, and EMV chip-and-pin payment card technology to shore up its
security after the breach. "We took a position in 2009 that we're not going
to clam up and try to point the fingers at somebody else," he told Dark
Reading today. "That most definitely helped us a lot."

He has watched the wave of record-breaking retail breaches over the past
year, and he says there's a common theme. "What's happening in the meantime
is, even though solutions are being introduced, encryption being one we
[adopted]… a lot of companies haven't implemented the basics, and they are
paying the price for it."

Big data breaches keep occurring because companies aren't investing in the
proper security, such as end-to-end encryption and tokenization, Carr says.
"The people responsible for spending the money necessary to be safe aren't
spending the money. They don't take it seriously. What I've been saying for
years is that it's going to continue to get worse, because the pool of
victims not doing anything or doing enough is shrinking slowly."

Merchants that think they're too small to be a target will be hit as well,
he says, especially as the Tier 1 merchants continue to step up their
security game and raise the bar for cybercriminals.

Heartland paid out hundreds of millions of dollars to banks and payment
card brands in the wake of its breach. Carr contends that the breached
company itself should be held liable, not the payment card firms or other
partners. The Heartland breach "was our responsibility," he says. "I think
liability needs to be held by the breached party. Otherwise, there's no
other way to police anything."

Blaming MasterCard and Visa for not phasing out magnetic stripe cards a
long time ago is a separate argument. "Today, if a merchant doesn't do the
minimum work to avoid a breach, then they are going to get breached. It's
just a matter of when."

EMV or chip-and-pin payment card technology, end-to-end encryption, and
tokenization are the key technologies merchants should be adopting. "These
solutions are pretty readily available" today.

The move to chip-and-pin payment card technology -- where smart cards with
embedded microchips authenticate the user's identity -- "is forcing
merchants to change out their hardware and thereby spend money to get the
equipment they need to get the [card] data out of their systems," he says.
"If you make that hardware change, [it's] insane if you don't also solve
the encryption issue. Put tokenization in to protect yourself on the
backend," as well.

A lot of executives have taken the less expensive option of neither
swapping out their payment hardware nor encrypting the full data
transaction. "If the bad guys are intercepting transactions on the way to
CPU, if you don't encrypt those and get that data out of the clear, you
don't have a solution. But a lot of merchants have bought into that."

That's not to say Carr doesn't have a few regrets about how his firm
handled its data breach and the aftermath, where malware infiltrated the
company's payment processing system. "There are a lot of things I wish
could have happened differently. Frankly, I don't know what we could have
done differently."

He cited a forensics assessment his company passed with flying colors just
before the breach. "We were given a clean bill of health the Friday before
our breach" in the exam. "We found the problem, not the forensics teams.
Three forensics teams could not find the problem."

For 90 days, Heartland went back and forth with MasterCard and Visa over
who was actually breached. He says there was plenty of confusion during
that period, and Heartland wasn't looped in on all the investigation
specifics. Heartland later confirmed that the breach had begun in June 2008
and ended sometime that August, but the company didn't learn of the attack
until January 2009.

"Everybody got a lot smarter about" handling these breach investigations
since then, he says.

Carr occasionally gets asked for advice from newly breached retailers. "I
tell them we're a processor, you're a merchant. Your situation is
completely different from ours. But here's what we did -- take what makes
sense for you."

Meanwhile, Carr is skeptical that cyberinsurance is the answer for
protecting firms from breach costs. "It gives a false sense of security.
Read the exclusions page."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!