Heartland Payment Systems is so confident in the security of its payment processing technology that, on Jan. 12, it announced a new breach warranty for its users. The warranty program will reimburse merchants for costs incurred from a data breach that involves the Heartland Secure credit card payment processing system.
The new warranty from Heartland comes at an interesting time for merchants. There were many high-profile data breaches at merchants in 2014, including Target, Staples and Home Depot. From a regulatory perspective, President Obama is now reportedly set to announce new data breach disclosure laws, in the form of the Personal Data Notification and Protection Act, during his State of the Union address at the end of January.
"There is no bad time to ensure the businesses that process cards with us are safe," Mike English, executive director of product development at Heartland, told eWEEK. "Hackers and criminals don't wait until the busy times to breach a retail or restaurant network."
The Heartland breach warranty covers costs a merchant incurs as a result of a breach and card data being stolen, according to English. There are multiple costs that can be associated with a breach.
"Fines are assessed by the card brands—Visa, MasterCard, Amex and Discover—the issuing banks and acquiring bank," English said. "Our breach warranty covers all those costs, which can reach into the millions, plus the forensic audit by a PCI-certified Qualified Security Assessor."
The PCI (Payment Card Industry) Data Security Standard (DSS) is a key framework for helping an organization create and maintain secure best practices for payments. PCI-DSS 3.0 came into effect on Jan. 1, 2015.
Heartland is no stranger to the world of data breaches. In 2008, Heartland itself was breached in an incident that impacted 100 million credit cards. The company ended up settling with Visa for $60 million to cover breach-related costs. In the aftermath of its breach, Heartland began to advocate the need for end-to-end encryption, which is part of the Heartland Secure system and the new breach warranty.
The Heartland Secure payment system supports both EMV (also known as Chip and PIN) credit cards and traditional magnetic stripe. The encryption that the system provides for both types of credit cards is at the core of Heartland's warranty confidence.
"Our Heartland Secure certified terminals and E3 PIN pads encrypt EMV and magnetic stripe transactions, taking clear text card data out of the merchant's network," English explained. "The magnetic stripe is not going away any time soon, and we want to make sure that our merchants are protected, regardless of the way a consumer pays."
While some warranties have third-party underwriters to limit the risk for the issuing product vendor, English said that Heartland is underwriting the breach warranty itself.
"We have total confidence in E3 encryption and our tokenization solution," he said.
When it comes to limiting the risk of breaches and improving retailer security, there are many approaches that the industry has taken. Supporting PCI DSS compliance is one approach, though history has proved that PCI DSS compliance alone is not enough. English commented that over the last 12 months many major merchants have announced breaches involving millions of cards. Many of the breached retailers were PCI-compliant, yet that didn't stop the breaches and theft of card data, he added.
"Heartland believes that security is all about managing risk, and we are doing so by taking clear text card data out of the business' systems and stores," English said. "When there is no clear text card data, there is nothing for a hacker to steal."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.