October 27, 2009
-
Heartland on E3 end-to-end encryption, Pt.3
A true end-to-end encryption.Heartland first began looking into the E3 end-to-end encryption debit and credit card payment processing system shortly after learning of the Hannaford Brothers Co data breach early 2008. The Hannaford security breach compromised more than 4 million debit and credit card numbers to potential fraud. It has since been tied to over 2,000 cases of identity and card fraud. The data breach occurred during the debit and credit card authorization process. Heartland's CEO Robert Carr empowered the company's employees to develop a payment processing system that would offer the most comprehensive security that would involve end-to-end encryption. At that time, Steve Elefant was hired to manage a new division designed to develop the new system.
After much investigation, development, and testing, the company began piloting the E3 end-to-end encryption debit and credit card payment system in June 2009. The pilot programs have successfully processed thousands of payment transactions. The company expects to commercially expand the program by the end of the year. During the developmental process, Heartland looked at the security levels of the debit and credit card terminals. They found the magnetic strip readers were not adequately secure between the device and the terminals Tamper Resistant Security Module (TRSM). At the TRSM contact point there exists a vulnerability to attack. Heartland's new E3 terminals addresses this vulnerability and "wedge and site cap devices that have these levels of security." As soon as the card information is entered, it will be encrypted with a new component that corrects this vulnerability site.
Heartland has also added another security feature where they are signing the terminal's applications thereby preventing an intruder from installing another application. The E3 system will be locked down the operating system and will prevent entry by any application that does not have a certificate. At this point the E3 will take all the sales transaction information and the encrypted debit or credit card information and prepares it with an Identity-based Encryption (IDE) for transmission. The information is then pushed to the network's security module. This is the only point where the information can be decrypted or encrypted as it is delivered to the card issuer. The encryption process is also used in the storage of settlements and funding.