Heartland offers end-to-end encryption to customersby Steve Ragan - May 27 2010, 23:40
The E3 card terminal that Heartland announced this week will offer end-to-end encryption of the card data. Merchants that use it will have peace of mind that the data is useless to criminals if captured, the company said. However, E3 isn’t a free offer to any of their 250,000 plus customers, or those who might want in on the action down the line.
Heartland, the world’s fifth largest payment processor, is aiming to sell its existing customers and potential customers a “comprehensive solution that enables merchants to handle credit card transactions,” Wasim Ahmad, VP at Voltage Security explained to us recently.
“It has built a state-of-the-art system called E3 that uses Voltage’s end-to-end encryption technology to provide security of cardholder data from card swipe to card brand hand-off. In creating E3 Heartland has led the way in applying security technologies to ensure that cardholder data is useless to criminal hackers.”
Voltage works with several other payment processors and POS vendors, including Fifth Third Processing Solutions and Hypercom, to provide end-to-end encryption and tokenization. However, E3 it seems is mostly for Heartland clients and prospective clients.
Ahmad told us that the top three benefits for Heartland customers using E3 include the fact that no cardholder data is present in the merchant’s systems. In addition, there are minimal, if any disruptions to the merchant during day-to-day operations. Finally, there is the warranty from Heartland, which pays the merchant the amount of compliance fines, fees, or assessments in the event of a breach that can be linked to a direct failure of E3.
In a statement announcing the E3 release, Bob Carr, Heartland’s chairman and CEO said that, “Data security is mission critical in today’s world. That's why Heartland is taking a leadership role in making end-to-end encryption available and easy to implement for merchants large and small.”
“While not a silver bullet, we feel this technology is a significant leap forward in helping the payments industry — as well as merchants and consumers — mitigate much of the risk of cybercrime.”
Heartland made mention in the press materials that they’ve been working on E3 for over two years. It’s noted that in the past two years, there were more than 650 reported breaches related to data theft. Yet there is something missing in all the material supporting E3, the reason that led Heartland to team-up with Voltage in the first place.
Heartland suffered a data breach in 2008 that resulted in the loss of 130 million credit card records. The loss is largely viewed as one of - if not the - largest data breach in history. This fact is missing from the marketing and informational details offered by Heartland, including the E3 blog. [Blog] [Press]
We asked another encryption company their thoughts on E3. Kim Addington, CMO of nuBridges, gave us their perspective.
“This is certainly a viable solution that should help Heartland retain existing customers and may help them attract new ones. It won't be right for everyone though. Some merchants won't want to invest in new swipe devices; some may have integration issues with their point of sale systems; some won't want to be locked into one payment processor,” Addington said.
“This solution is ciphertext-based so it doesn't remove systems from audit scope the way tokenization does (an alternate approach offered by other payment processors and by software providers like nuBridges).”
Addington said that Carr deserves a lot of credit for how open and forthright he has been about Heartland's breach experience. This is true. Yet, that openness was missing when the E3 data came across our desk.
Another interesting topic is the warranty that comes with E3. The sticking point that looks like a “you’ve nothing to lose by purchasing this” offer is that if there is a breach, Heartland will cover the costs.
“If, during the warranty period on any particular Heartland E3 device, the device fails to prevent the unauthorized decryption of cardholder data on that particular device, and that failure is a result of a defect or error in Heartland's software or hardware, Heartland will pay the merchant the amount of compliance fines, fees and/or assessments the merchant pays to the card brands, issuing bank or acquiring bank. Heartland will also pay the merchant any costs he/she pays for a directly related forensic audit conducted by a PCI-certified Qualified Incident Response Assessor,” the marketing materials explain. [Link]
At the same time, this warranty only applies to merchants who agree to Heartland’s processing agreement, their terms and conditions, and are processing transactions though Heartland at the time of the failure or breach. If you use other processors, then this will not apply, even if you use E3 enabled terminals. However, warranty or not, if Heartland is hit again, all bets are off for the consumer.
Have your say.
Payment security is important, especially to the small mom and pop businesses that need transactional protection, because if they are hit with a breach, they will watch as their business folds.
However, Heartland suffered a massive breach; exposing 130 million cards, and in the aftermath worked to evangelize payment security, resulting in the partnership with Voltage and the development of E3.
Should they offer E3 to existing clients as a free service or should it be an up sell? What do you think about E3 overall, and what do you make of the warranty that comes with it?