Security

Heartland Breached Again?

Leave a comment

Austin, Texas local news reports the police department has named Heartland in a payment card breach at Tino’s Greek Cafe.

“Through our investigation and through the investigation of the credit card companies, we’ve determined the compromise was not at the restaurant itself. It was somewhere in the network,” APD Sgt. Matthew Greer said. APD said a computer hack at Heartland Payment Systems, where the payments were processed, is a possible source of the problem.

Possible source. Not very encouraging. This has left the door open for Heartland to register disbelief and uncertainty.

“Recent reports of data theft at one Austin-area merchant clearly point to a localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud,” Heartland Payment Systems said in a statement.

So this time (or should I say so far) Heartland has not pointed the finger at auditors and QSAs or other payment card processing companies for leaving them in the dark. Quick flashback: Heartland’s CEO last year gave an odd reason for being breached.

The false [PCI DSS] reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn’t understand the limitations of PCI and the entire assessment process.

PCI compliance never meant an entity could not be breached. A CEO can say he was misled, or misinformed, but it is not the responsibility of the QSA for that CEO to know the rules.

The Heartland CEO is saying the equivalent of a citizen should rely on a police officer to know the driving laws and if they crash they should be able to litigate against their driving test examiner. That is not how compliance works.

Complicating Heartland’s position is another recent Austin retail payment card breach, which also used them as a processor. Their image in the public eye is not exactly one of security so they should have to prove that a “localized” incident actually removes them from the fix.

As it happens the fix reported in the news makes Heartland appear involved more, not less. The police say the breach came from a weak link between the point-of-sale and the processor. The fix is to stop sending Heartland payment information over the Internet — processing is done over plain old telephone service (POTS) again. An architecture change such as this is usually not due to a localized flaw. Other retailers who connect to Heartland over the Internet might be asking themselves if they should dust off their modems.

One might think that Heartland’s recent efforts with end-to-end encryption would play directly into this issue and they would step up and wave their giant hand over the tiny merchant to make the problem go away. Instead they take a tough negotiation stance that angers the merchant.

Heartland issued a statement denying any involvement in the Tino’s breach, saying the problems, “clearly point to a localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud…the company is unaware of any broader issue.”

“I think that’s very irresponsible of them to issue a statement like that,” said [Tino’s restaurant co-owner] Nouri.

It might not be a broader issue, just a misconfiguration or flaw in communications security, but that still implicates Heartland. They do seem responsible.

When they use words like “unaware” it reminds me of when I presented in November 2005 at the Retail Security Forum in Chicago, Illinois a model for end-to-end encryption that would solve the problem described above. It was called “Manage Identities and Keys for the Retail Risk Model”. In fact, it described exactly a solution for what Heartland’s CEO started to discuss publically three years later (after the Hannaford Brothers breach) and their CIO started talking about four years later.

True end-to-end encryption to us, and what we’re putting forward as the standard, [starts] from the time the digits leave the magstripe on the consumer’s card, and is turned from analogue data into digital data, [and continues] all the way through the terminal, through the wires, through our host processing network until we securely deliver it to the brands. That’s end-to-end encryption.

They do seem aware of the broader issue. Whether or not this breach turns out to be on the point of sale or the network, I hope the APD will be able to push Heartland towards more awareness and accountability and get them to drop the “unaware” defensive line.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.