September 21, 2009
-
Heartland CEO Speaks on Encryption, Pt.3
What is Heartland's ultimate goal?Heartland's goal is "completely remove payment account numbers of debit and credit cards and magnetic-stripe data so they are never accessible in a useable format in the merchant or processor systems." In this quest, they have stepped out and requested of the rest of the credit card industry to accept transactions in encrypted form. Heartland has also worked in forming a standards council to provide minimum security credit card practices among industry players and is engaging the security standards entities to join in this effort.
In addition to this, Heartland is trying to put together a forum where the credit card industry's members can share inside information concerning remaining vulnerabilities and threats. This is a platform where the players can exchange their "best practices" and proven techniques to protect credit card data.
The quest is straight-forward. Heartland is spearheading this cooperative and technical initiative in an effort to protect the other members from falling victim to the catastrophe which happened to them. This extends out to, ultimately, protect both the processors' customers and the issuing banks and credit card holders on both ends of their extremes.
Details weren't given as to what actually happened due to ongoing investigations but what we do know is that the cyber--crime perpetrators (at least two Russians and weasel from Miami attacked Heartland from both directions. First, they started with stalking Heartland's customers (merchants who submit credit card transactions to Heartland for payment) to gain entry access into Heartlands internal systems. Then they, somehow, managed to plant malware within Heartlands internal networks. It has not yet been divulged whether this was done as an inside job or if they were successful at inserting the SQL-buster into Heartland's internal servers through a service-point with weak protection.
Some how, however, the cyber-slime managed to persuade the SQL server to spit-out the goods. This credit card data was unencrypted.