slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The Future of Secure Electronic Payments San Diego August 10, 2009 PowerPoint Presentation
Download Presentation
The Future of Secure Electronic Payments San Diego August 10, 2009

Loading in 2 Seconds...

play fullscreen
1 / 29

The Future of Secure Electronic Payments San Diego August 10, 2009 - PowerPoint PPT Presentation


  • 51 Views
  • Uploaded on

The Future of Secure Electronic Payments San Diego August 10, 2009.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The Future of Secure Electronic Payments San Diego August 10, 2009' - qabil


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

The Future of Secure

Electronic Payments

San Diego

August 10, 2009

slide2
This presentation contains statements of a forward-looking nature which represent our management's beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors, including without limitation, the impact that the significantly unfavorable economic conditions confronting the United States may have on our business, the results and effects the security breach of our processing system may have on us,  including the costs and damages we may incur in connection with the claims arising from such breach that have been made and may in the future be made against us,  the extent of cardholder information compromised and the possibility that such security breach could cause us to lose customers or make it difficult for us to obtain new customers, the possibility that we may not be successful in developing and implementing an end to end encryption solution, the possibility that if we are successful in developing and implementing an end to end encryption solution it may not prevent future security breaches of our payment processing system,  and additional factors that are contained in the Company's Securities and Exchange Commission filings, including but not limited to, the Company's annual report on Form 10- K for the year ended December 31, 2008. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this presentation.
slide3
What Is The Problem? The Cybercrimes Arms Race

Who Is Heartland Payment Systems?

What Happened and What Has/Will It Cost?

What Did We Do About It and What Are We Doing Now?

Massive Quantity/Quality of Breaches Call for Enhanced Solutions

Our New Solution Called E3 – End-End Encryption

This Is A Crisis and We All Need to Work Together

A Few Humble Suggestions

Topics / Agenda – The Future of Electronic Payments

slide4
Escalation of more and more effective spear phishing/injections/etc.

Compliance Is Not Enough

Assessments Are Not Worth Much

Hijacking internet domains – Network Solutions

Massive zero-balance ACH fraud

The financial systems infrastructure needs to be and will be upgraded!

The Cybercrimes Arms Race

slide5
Any terrific service people who save data against company policy to help customers – no harm intended?

Any IT people who work around some of the inconveniences of required security that are admittedly good for everyone else?

Any C-Level folks (IT or otherwise) who don’t want to follow stringent password or other security policies so get hard-coded work-arounds?

Certain there is no Black Hat in your employ?

Any employees/consultants with access who might be tempted with a bribe?

Your Protection Against Potential Insider Attacks

slide6

Heartland Payment Systems – What is Our Business?

  • Card processing
    • Credit/debit/prepaid cards:
      • Process 11 million transactions a day
      • Process over 4.2 billion transactions annually
      • Fund accepting merchants over $80 billion annually
  • Payroll processing (small competitor to PayChex and ADP)
  • Check 21 processing (electronic depositing of scanned checks)
  • Online payment processing
  • MicroPayments – vending, laundry, campus solutions
  • Gift cards and loyalty programs
slide7

Heartland Payment Systems

12 Years Ago ... And Today

  • 1997 (1st Trans 6/15/97) July 31, 2009
  • 2,350 clients 250,000 clients
  • 25 employees 3,109 employees
  • #62 in US #5 in US … #9 in world
  • $0.4 billion portfolio $80 billion portfolio
slide9

1

2

3

4

5

6

7

8

9

10

slide10

Heartland Service CenterHPY owned – 650 employees – 35 acre site across Ohio River from Louisville, KY

slide11

Net Revenue Net Income EPS

1.08

41,840

0.90

383,708

35,870

0.71

28,544

294,771

0.50

245,652

19,093

0.26

186,486

137,796

8,855

5 Year Financial Results 2004-2008

11

slide12

Financial Strength

  • Balance sheet – 12/31/2008
    • Cash on hand – $49.6 MM
    • Debt – $75 MM
    • Equity – $179.2 MM
    • Assets – 463.6 MM
  • Income Statement – 2008
    • Gross receipts – $1,545 MM 
    • Pre-tax income – $70.6 MM 
    • After-tax income - $41.8 MM
    • A Fortune 1000 company in 2010?
    • (missed in 2009 by 0.2%)
slide13
Winter-Spring 2008

Sniffer attack on Hannaford announced – changed the game!

HPS creates dedicated Chief Security Officer/fills position

April 30, 2008 – HPS passes sixth consecutive PCI DSS assessment by largest QSA

Mid-May 2008 – Penetration of payments network

Possibly related to attack in very late 2007 on customer-facing web page

Detected within 48 hours/no payment data implicated

What Happened?

slide14
Late Oct. 2008 – Informed by card brand that issuers suspected potential breach of one or more processors

HPS requested sample fraud transactions

Many sampled transactions never touched our payment network

Nine weeks following Oct. 2008 inquiry

Despite ongoing investigation by Heartland and two separate forensic companies, no evidence of an intrusion discovered

Jan. 9, 2009 – Forensic companies advised they had nearly completed their investigations and found no problems; final reports expected shortly

Jan. 13-20, 2009 – Discovered suspicious malware and learned of breach

Notified law enforcement, card brands

Public announcement

What Happened – The Investigation and the Announcement

slide15
~50% reduction in market cap (~$400MM)

1H09 – $32 million in expense including

Forensics

Legal

Visa Fine < $1MM

MasterCard Fine ~$7MM

Settlement offer

2H09 and Beyond – to be determined

What Has It Cost Heartland?

slide16
Contrary to Industry Speculation, the Cost Is NOT Acceptable

Issuing Banks

Customer attrition

Cost of reissuing and monitoring for fraud

Fraud

And…

Electronic payment industry worries about lost consumer confidence

(All stakeholders in the electronic payment system)

What Has/Will It Cost Issuing Banks and Other Stakeholders?

slide17
Additional security enhancements

Complete reimaging of servers

Additional network segmentation

More intense monitoring

More intense DLP efforts

Vontu

Everything else the card brands requested

Follow probation requirements

Requested meetings with the card brands

Requested meeting with PCI SSC officials

Worked non-stop to obtain recertification

What Did We Do About It?

slide18
Before learning of our breach (after sniffer attack at Hannaford)

Speaking out about need for improved systems

Federal Reserve Bank of Philadelphia Panel

Merchant Advisory Group

Verifone User’s Conference

Began developing end-to-end encryption solution

Asked ANSI X9 – F6 to develop end-to-end encryption standard

After learning of our breach

Formed FS-ISAC / PPISC and distributed malware and attack vectors

Focused on ramping up end-to-end encryption development

Ramped up ANSI X9 – F6 leadership

What Were We Doing Before & What Are We Doing Now?

slide19
Knowledge of security threats should not be viewed as a competitive advantage.

Heartland’s approach:

Collaborate with private and public bodies to address information security gaps in the payments processing ecosystem

Demonstrate that protecting consumer and merchant data is a better competitive edge than hiding threats to our security

The Bigger Picture

slide21

1001110001110101001010101011000101010100010101

1001110001110101001010101011000101010100010101

The Heartland E3 Terminal

110101010100001110100010101100010101011001010010010110100010101011010101000101010101000011101010101000011101000101011000101010110010100100101101000101010110101010001010101010000111010101010000111010001010110001010101100101001001011010001010101101010100010101010100001110101010100001110100010101100010101011001010010010110100010101011010101000101010101000011101010101000011101000101011000101010110010100100101101000101010110101010001010101010000111010101010000111010001010110001010101100101001001011010001010101101010100010101010100001110101010100001110001011011

Heartland Confidential

slide22

Physical Security

  • HPS E3 terminal is a multi-level TRSM
  • Tamper response and resistance
    • Battery-backed switches, epoxy, wire mesh, etc.
    • Protect the PCB (printed circuit board) and processors

Wire Mesh

Wire mesh enables tamper response and protects the keypad, PCB and processors.

Heartland Confidential

slide23

Offline Encryption, Centralized DecryptionUsing IBE & FPE

1. Random FPE Key = 0x12a36cde87fa6d3c10896d3e2c85003b

2. KMB = IBE-Encrypt(Public Key, Random Key)

3. Save KMB to TRSM

Card

Brands

4. Encrypt PANs using Random Key

1234-5678-6543-3214 -> 5673-4678-9012-3678

6803-3467-5012-2456 -> 7208-3892-1087-6444

3890-7384-5901-2654 -> 9645-0123-8911-6328

POS

6. Decrypt only when Card Brands Require

(KMB,

5673-4678-9012-3678, 7208-3892-1087-6444, 9645-0123-8911-6328) =

(1234-5678-6543-3214, 6803-3467-5012-2456

3890-7384-5901-2654)

5. Transfer KMB +

(5673-4678-9012-3678

7208-3892-1087-6444

9645-0123-8911-6328)

Processing Center

slide24

The Heartland E3 Device Roundup

  • Heartland E3 POS
  • Heartland E3 wedge
  • Heartland E3 insertion reader
  • Heartland E3 e-Commerce/middleware
  • Heartland E3 unattended devices
  • Partnerships with other terminal vendors to bring additional offerings to our merchants

Heartland Confidential

slide25
PCI DSS is a good standard and is properly required by the industry

Enhancements to Consider

Better Authentication Is Preferred

Chip and Pin

Tokenization solutions

End-to-end encryption solutions

New solutions

The Future of Secure Electronic Payments

slide26
Opportunities for Improvement

Better protection from insider attacks and human error

6 million small merchants have trouble managing 233 “best practices” aka “requirements”

No silver bullet, but reasonable capital investment is preferable to permanent high overhead costs

The Future of Secure Electronic Payments

slide27
Let’s get rid of tampering – encrypt the magnetic stripe when possible and encrypt at earliest point of entry everywhere else

How to Pay For IT?

Reduced cost of compliance

Reduction of potential liability

Carrot and Stick from Card Brands

The Future of Secure Electronic Payments

slide28
Stop the over-the-top criticism of PCI compliance – not credible

Stop the attacks on credit interchange – not credible

Recognize the difference between interchange for credit and for debit

Recognize the difference between fees to the card brands and interchange to the card issuers

A Few Humble Suggestions for a More Effective Approach