June 30, 2009

Princeton, N.J.-based payment processor Heartland Payment Systems has implemented a live AES encryption transmission process between merchants and its processing platform, according to a press release.

The company's encryption work comes close on the heels of its January 2009 disclosure of a major data breach, in which it is believed that a hacker gained access to Heartland's systems -- and the sensitive customer data contained within -- for a lengthy period of time in late 2008. Since that time, the company has embarked on an ambitious campaign to improve its IT security processes.

The AES implementation marks the completion of the first phase of Heartland's end-to-end encryption pilot program, called E3, which aims to encrypt the transaction process from card read to the processor network and on through transmission to card brands. Heartland says that AES (Advanced Encryption Standard) is a high level of encryption that is currently on track to replace DES (Data Encryption Standard) and Triple DES as the standard of choice for sensitive data.

"Typically, cardholder data is unencrypted as it leaves a merchant's terminal and is not encrypted until it is either tokenized in a gateway or at rest in the processing platform's data warehouse," Heartland chairman and CEO Robert O. Carr said in a press release. "This means cardholder data in transit is at risk of being compromised should it get in the hands of cyber criminals or hackers via such methods as network or memory sniffer malware."

On Monday, Heartland tested the first phase of the project with a Texas-based merchant, running transactions for multiple credit cards, as well as prepaid and signature debit cards. "These cards were read by our newly developed pilot tamper-resistant security module (TRSM) terminal. The data was encrypted as the electronic digits left the magnetic stripe and entered the TRSM hardware device. The data was then successfully transmitted to and through our processing platform for authorization and settlement," Carr detailed in the release.

Work on the subsequent phases of Heartland's encryption pilot project is underway, with plans for a full commercial launch set for late 2009. "We believe the marketplace will accept this higher level of payments security and are willing to share our knowledge and learnings with all industry stakeholders via the Payment Processors Information Sharing Council, FS-ISAC and Secure POS Vendor Alliance organizations," Carr stated.