September 21, 2009
-
Heartland CEO Speaks on Encryption, Pt.2
What is Heartland doing about it?As the Heartland rightly explains, the credit card encryption problem is still at large. Even though Heartland is attacking it with a vengeance, there are still a thousand small merchants who have not yet met PCI compliance. Unless an incident flares up, the only punishment exacted for failing to meet compliance for the "little guy" is paying a higher credit card transaction fee (percentage) then they need to. Fees can range from "best rate" (fractions of a penny per dollar on each credit card purchase) to substantial fractions of the dollar for sloppy security. Some small merchants are willing to live with this. However, punishment is more severe for "big guys" like Heartland and TJ Max.
Still, full encryption of PANs ("Personal Account Numbers" - the credit card numbers themselves) is not mandated when this data is traveling from the merchant to the processor nor between the processor and the credit card issuing banks. This was the warning given by Heartland's CEO, Robert Carr, to a US Senate committee on Monday. Carr's message is to encourage Government to actively participate in shoring up credit card security end-to-end. Mr. Carr is confident it can be done and is making his plea to government agencies like the Senate Homeland Security and Governmental Affairs Committee.
Mr. Carr warns that cyber-criminals are relentlessly developing "ever-more-sophisticated methods" for breaching credit card security. He promotes that "it is critical to implement new technology, not just at Heartland, but industry-wide." This is part of an on-going effort to further engage government participation in fighting cyber-crime. Heartland is already in the process of patching up the leaks with actions like in-house safe guards guaranteeing no internal encryption weak spots, extra-net encapsulation and even the deployment of tamper-proof POS (Point of sale) terminals at their merchants' locations.