slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
The Future of Secure Electronic Payments San Diego August 10, 2009 PowerPoint Presentation
Download Presentation
The Future of Secure Electronic Payments San Diego August 10, 2009

Loading in 2 Seconds...

play fullscreen
1 / 29

The Future of Secure Electronic Payments San Diego August 10, 2009 - PowerPoint PPT Presentation

  • Uploaded on

The Future of Secure Electronic Payments San Diego August 10, 2009.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Future of Secure Electronic Payments San Diego August 10, 2009' - qabil

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

The Future of Secure

Electronic Payments

San Diego

August 10, 2009

This presentation contains statements of a forward-looking nature which represent our management's beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors, including without limitation, the impact that the significantly unfavorable economic conditions confronting the United States may have on our business, the results and effects the security breach of our processing system may have on us,  including the costs and damages we may incur in connection with the claims arising from such breach that have been made and may in the future be made against us,  the extent of cardholder information compromised and the possibility that such security breach could cause us to lose customers or make it difficult for us to obtain new customers, the possibility that we may not be successful in developing and implementing an end to end encryption solution, the possibility that if we are successful in developing and implementing an end to end encryption solution it may not prevent future security breaches of our payment processing system,  and additional factors that are contained in the Company's Securities and Exchange Commission filings, including but not limited to, the Company's annual report on Form 10- K for the year ended December 31, 2008. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this presentation.
What Is The Problem? The Cybercrimes Arms Race

Who Is Heartland Payment Systems?

What Happened and What Has/Will It Cost?

What Did We Do About It and What Are We Doing Now?

Massive Quantity/Quality of Breaches Call for Enhanced Solutions

Our New Solution Called E3 – End-End Encryption

This Is A Crisis and We All Need to Work Together

A Few Humble Suggestions

Topics / Agenda – The Future of Electronic Payments

Escalation of more and more effective spear phishing/injections/etc.

Compliance Is Not Enough

Assessments Are Not Worth Much

Hijacking internet domains – Network Solutions

Massive zero-balance ACH fraud

The financial systems infrastructure needs to be and will be upgraded!

The Cybercrimes Arms Race

Any terrific service people who save data against company policy to help customers – no harm intended?

Any IT people who work around some of the inconveniences of required security that are admittedly good for everyone else?

Any C-Level folks (IT or otherwise) who don’t want to follow stringent password or other security policies so get hard-coded work-arounds?

Certain there is no Black Hat in your employ?

Any employees/consultants with access who might be tempted with a bribe?

Your Protection Against Potential Insider Attacks


Heartland Payment Systems – What is Our Business?

  • Card processing
    • Credit/debit/prepaid cards:
      • Process 11 million transactions a day
      • Process over 4.2 billion transactions annually
      • Fund accepting merchants over $80 billion annually
  • Payroll processing (small competitor to PayChex and ADP)
  • Check 21 processing (electronic depositing of scanned checks)
  • Online payment processing
  • MicroPayments – vending, laundry, campus solutions
  • Gift cards and loyalty programs

Heartland Payment Systems

12 Years Ago ... And Today

  • 1997 (1st Trans 6/15/97) July 31, 2009
  • 2,350 clients 250,000 clients
  • 25 employees 3,109 employees
  • #62 in US #5 in US … #9 in world
  • $0.4 billion portfolio $80 billion portfolio












Heartland Service CenterHPY owned – 650 employees – 35 acre site across Ohio River from Louisville, KY


Net Revenue Net Income EPS
















5 Year Financial Results 2004-2008



Financial Strength

  • Balance sheet – 12/31/2008
    • Cash on hand – $49.6 MM
    • Debt – $75 MM
    • Equity – $179.2 MM
    • Assets – 463.6 MM
  • Income Statement – 2008
    • Gross receipts – $1,545 MM 
    • Pre-tax income – $70.6 MM 
    • After-tax income - $41.8 MM
    • A Fortune 1000 company in 2010?
    • (missed in 2009 by 0.2%)
Winter-Spring 2008

Sniffer attack on Hannaford announced – changed the game!

HPS creates dedicated Chief Security Officer/fills position

April 30, 2008 – HPS passes sixth consecutive PCI DSS assessment by largest QSA

Mid-May 2008 – Penetration of payments network

Possibly related to attack in very late 2007 on customer-facing web page

Detected within 48 hours/no payment data implicated

What Happened?

Late Oct. 2008 – Informed by card brand that issuers suspected potential breach of one or more processors

HPS requested sample fraud transactions

Many sampled transactions never touched our payment network

Nine weeks following Oct. 2008 inquiry

Despite ongoing investigation by Heartland and two separate forensic companies, no evidence of an intrusion discovered

Jan. 9, 2009 – Forensic companies advised they had nearly completed their investigations and found no problems; final reports expected shortly

Jan. 13-20, 2009 – Discovered suspicious malware and learned of breach

Notified law enforcement, card brands

Public announcement

What Happened – The Investigation and the Announcement

~50% reduction in market cap (~$400MM)

1H09 – $32 million in expense including



Visa Fine < $1MM

MasterCard Fine ~$7MM

Settlement offer

2H09 and Beyond – to be determined

What Has It Cost Heartland?

Contrary to Industry Speculation, the Cost Is NOT Acceptable

Issuing Banks

Customer attrition

Cost of reissuing and monitoring for fraud



Electronic payment industry worries about lost consumer confidence

(All stakeholders in the electronic payment system)

What Has/Will It Cost Issuing Banks and Other Stakeholders?

Additional security enhancements

Complete reimaging of servers

Additional network segmentation

More intense monitoring

More intense DLP efforts


Everything else the card brands requested

Follow probation requirements

Requested meetings with the card brands

Requested meeting with PCI SSC officials

Worked non-stop to obtain recertification

What Did We Do About It?

Before learning of our breach (after sniffer attack at Hannaford)

Speaking out about need for improved systems

Federal Reserve Bank of Philadelphia Panel

Merchant Advisory Group

Verifone User’s Conference

Began developing end-to-end encryption solution

Asked ANSI X9 – F6 to develop end-to-end encryption standard

After learning of our breach

Formed FS-ISAC / PPISC and distributed malware and attack vectors

Focused on ramping up end-to-end encryption development

Ramped up ANSI X9 – F6 leadership

What Were We Doing Before & What Are We Doing Now?

Knowledge of security threats should not be viewed as a competitive advantage.

Heartland’s approach:

Collaborate with private and public bodies to address information security gaps in the payments processing ecosystem

Demonstrate that protecting consumer and merchant data is a better competitive edge than hiding threats to our security

The Bigger Picture




The Heartland E3 Terminal


Heartland Confidential


Physical Security

  • HPS E3 terminal is a multi-level TRSM
  • Tamper response and resistance
    • Battery-backed switches, epoxy, wire mesh, etc.
    • Protect the PCB (printed circuit board) and processors

Wire Mesh

Wire mesh enables tamper response and protects the keypad, PCB and processors.

Heartland Confidential


Offline Encryption, Centralized DecryptionUsing IBE & FPE

1. Random FPE Key = 0x12a36cde87fa6d3c10896d3e2c85003b

2. KMB = IBE-Encrypt(Public Key, Random Key)

3. Save KMB to TRSM



4. Encrypt PANs using Random Key

1234-5678-6543-3214 -> 5673-4678-9012-3678

6803-3467-5012-2456 -> 7208-3892-1087-6444

3890-7384-5901-2654 -> 9645-0123-8911-6328


6. Decrypt only when Card Brands Require


5673-4678-9012-3678, 7208-3892-1087-6444, 9645-0123-8911-6328) =

(1234-5678-6543-3214, 6803-3467-5012-2456


5. Transfer KMB +




Processing Center


The Heartland E3 Device Roundup

  • Heartland E3 POS
  • Heartland E3 wedge
  • Heartland E3 insertion reader
  • Heartland E3 e-Commerce/middleware
  • Heartland E3 unattended devices
  • Partnerships with other terminal vendors to bring additional offerings to our merchants

Heartland Confidential

PCI DSS is a good standard and is properly required by the industry

Enhancements to Consider

Better Authentication Is Preferred

Chip and Pin

Tokenization solutions

End-to-end encryption solutions

New solutions

The Future of Secure Electronic Payments

Opportunities for Improvement

Better protection from insider attacks and human error

6 million small merchants have trouble managing 233 “best practices” aka “requirements”

No silver bullet, but reasonable capital investment is preferable to permanent high overhead costs

The Future of Secure Electronic Payments

Let’s get rid of tampering – encrypt the magnetic stripe when possible and encrypt at earliest point of entry everywhere else

How to Pay For IT?

Reduced cost of compliance

Reduction of potential liability

Carrot and Stick from Card Brands

The Future of Secure Electronic Payments

Stop the over-the-top criticism of PCI compliance – not credible

Stop the attacks on credit interchange – not credible

Recognize the difference between interchange for credit and for debit

Recognize the difference between fees to the card brands and interchange to the card issuers

A Few Humble Suggestions for a More Effective Approach