The Future of Secure Electronic Payments San Diego August 10, 2009
description
Transcript of The Future of Secure Electronic Payments San Diego August 10, 2009
The Future of Secure
Electronic Payments
San Diego
August 10, 2009
This presentation contains statements of a forward-looking nature which represent our management's beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors, including without limitation, the impact that the significantly unfavorable economic conditions confronting the United States may have on our business, the results and effects the security breach of our processing system may have on us, including the costs and damages we may incur in connection with the claims arising from such breach that have been made and may in the future be made against us, the extent of cardholder information compromised and the possibility that such security breach could cause us to lose customers or make it difficult for us to obtain new customers, the possibility that we may not be successful in developing and implementing an end to end encryption solution, the possibility that if we are successful in developing and implementing an end to end encryption solution it may not prevent future security breaches of our payment processing system, and additional factors that are contained in the Company's Securities and Exchange Commission filings, including but not limited to, the Company's annual report on Form 10- K for the year ended December 31, 2008. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this presentation.
Topics / Agenda – The Future of Electronic Payments
1. What Is The Problem? The Cybercrimes Arms Race
2. Who Is Heartland Payment Systems?
3. What Happened and What Has/Will It Cost?
4. What Did We Do About It and What Are We Doing Now?
5. Massive Quantity/Quality of Breaches Call for Enhanced Solutions
6. Our New Solution Called E3 – End-End Encryption
7. This Is A Crisis and We All Need to Work Together
8. A Few Humble Suggestions
The Cybercrimes Arms Race
1. Escalation of more and more effective spear phishing/injections/etc.
2. Compliance Is Not Enough
3. Assessments Are Not Worth Much
4. Hijacking internet domains – Network Solutions
5. Massive zero-balance ACH fraud
6. The financial systems infrastructure needs to be and will be upgraded!
Your Protection Against Potential Insider Attacks
1. Any terrific service people who save data against company policy to help customers – no harm intended?
2. Any IT people who work around some of the inconveniences of required security that are admittedly good for everyone else?
3. Any C-Level folks (IT or otherwise) who don’t want to follow stringent password or other security policies so get hard-coded work-arounds?
4. Certain there is no Black Hat in your employ?
5. Any employees/consultants with access who might be tempted with a bribe?
Heartland Payment Systems – What is Our Business?
• Card processingCredit/debit/prepaid cards:
• Process 11 million transactions a day• Process over 4.2 billion transactions annually• Fund accepting merchants over $80 billion annually
• Payroll processing (small competitor to PayChex and ADP)• Check 21 processing (electronic depositing of scanned checks)• Online payment processing• MicroPayments – vending, laundry, campus solutions• Gift cards and loyalty programs
Heartland Payment Systems
12 Years Ago ... And Today
Historical Processing Growth 1998-2009
1
2
3
4
5
6
7
8
9
10
Heartland Service CenterHPY owned – 650 employees – 35 acre site across Ohio River from Louisville, KY
11
2004 2005 2006 2007 2008
Net Revenue Net Income EPS
0.26137,796
8,855
1.08
383,708
41,840
0.50
186,48619,093
0.71
245,652
28,544
0.90
294,771
35,870
5 Year Financial Results 2004-2008
Financial Strength
• Balance sheet – 12/31/2008Cash on hand – $49.6 MM Debt – $75 MMEquity – $179.2 MMAssets – 463.6 MM
• Income Statement – 2008Gross receipts – $1,545 MM Pre-tax income – $70.6 MM After-tax income - $41.8 MM
A Fortune 1000 company in 2010?(missed in 2009 by 0.2%)
• Winter-Spring 2008 Sniffer attack on Hannaford announced – changed the game! HPS creates dedicated Chief Security Officer/fills position
• April 30, 2008 – HPS passes sixth consecutive PCI DSS assessment by largest QSA
• Mid-May 2008 – Penetration of payments network Possibly related to attack in very late 2007 on customer-facing web
page
• Detected within 48 hours/no payment data implicated
What Happened?
• Late Oct. 2008 – Informed by card brand that issuers suspected potential breach of one or more processors HPS requested sample fraud transactions Many sampled transactions never touched our payment network
• Nine weeks following Oct. 2008 inquiry Despite ongoing investigation by Heartland and two separate forensic
companies, no evidence of an intrusion discovered
• Jan. 9, 2009 – Forensic companies advised they had nearly completed their investigations and found no problems; final reports expected shortly
• Jan. 13-20, 2009 – Discovered suspicious malware and learned of breach Notified law enforcement, card brands Public announcement
What Happened – The Investigation and the Announcement
What Has It Cost Heartland?
• ~50% reduction in market cap (~$400MM)
• 1H09 – $32 million in expense including Forensics
Legal
Visa Fine < $1MM
MasterCard Fine ~$7MM
Settlement offer
• 2H09 and Beyond – to be determined
What Has/Will It Cost Issuing Banks and Other Stakeholders?
Contrary to Industry Speculation, the Cost Is NOT Acceptable
Issuing Banks– Customer attrition– Cost of reissuing and monitoring for fraud – Fraud
And… Electronic payment industry worries about lost consumer confidence
(All stakeholders in the electronic payment system)
What Did We Do About It?
• Additional security enhancements Complete reimaging of servers
Additional network segmentation
More intense monitoring
More intense DLP efforts
Vontu
Everything else the card brands requested
• Follow probation requirements
• Requested meetings with the card brands
• Requested meeting with PCI SSC officials
• Worked non-stop to obtain recertification
What Were We Doing Before & What Are We Doing Now?
Before learning of our breach (after sniffer attack at Hannaford)• Speaking out about need for improved systems
Federal Reserve Bank of Philadelphia Panel Merchant Advisory Group Verifone User’s Conference
• Began developing end-to-end encryption solution• Asked ANSI X9 – F6 to develop end-to-end encryption standard
After learning of our breach• Formed FS-ISAC / PPISC and distributed malware and attack vectors• Focused on ramping up end-to-end encryption development• Ramped up ANSI X9 – F6 leadership
The Bigger Picture
Knowledge of security threats should not be viewed as a competitive advantage.
Heartland’s approach:• Collaborate with private and public bodies to address information
security gaps in the payments processing ecosystem
• Demonstrate that protecting consumer and merchant data is a better competitive edge than hiding threats to our security
Heartland Payment Encryption Zones
1001110001110101001010101011000101010100010101
110101010100001110100010101100010101011001010010010110100010101011010101000101010101000011101010101000011101000101011000101010110010100100101101000101010110101010001010101010000111010101010000111010001010110001010101100101001001011010001010101101010100010101010100001110101010100001110100010101100010101011001010010010110100010101011010101000101010101000011101010101000011101000101011000101010110010100100101101000101010110101010001010101010000111010101010000111010001010110001010101100101001001011010001010101101010100010101010100001110101010100001110001011011
The Heartland E3 Terminal
Heartland Confidential
Physical Security
• HPS E3 terminal is a multi-level TRSM• Tamper response and resistance
Battery-backed switches, epoxy, wire mesh, etc.Protect the PCB (printed circuit board) and processors
Wire mesh enables tamper response and protects the
keypad, PCB and processors.
Wire Mesh
Heartland Confidential
Offline Encryption, Centralized DecryptionUsing IBE & FPE
POS
1. Random FPE Key = 0x12a36cde87fa6d3c10896d3e2c85003b
2. KMB = IBE-Encrypt(Public Key, Random Key)
3. Save KMB to TRSM
4. Encrypt PANs using Random Key 1234-5678-6543-3214 -> 5673-4678-9012-3678 6803-3467-5012-2456 -> 7208-3892-1087-6444 3890-7384-5901-2654 -> 9645-0123-8911-6328
…
5. Transfer KMB + (5673-4678-9012-36787208-3892-1087-64449645-0123-8911-6328)
Processing Center
6. Decrypt only when Card Brands Require(KMB, 5673-4678-9012-3678, 7208-3892-1087-6444, 9645-0123-8911-6328) =(1234-5678-6543-3214, 6803-3467-5012-24563890-7384-5901-2654)
CardBrands
The Heartland E3 Device Roundup
Heartland Confidential
• Heartland E3 POS
• Heartland E3 wedge
• Heartland E3 insertion reader
• Heartland E3 e-Commerce/middleware
• Heartland E3 unattended devices
• Partnerships with other terminal vendors to bring additional offerings to our merchants
The Future of Secure Electronic Payments
PCI DSS is a good standard and is properly required by the industry
• Enhancements to Consider Better Authentication Is Preferred Chip and Pin Tokenization solutions End-to-end encryption solutions New solutions
The Future of Secure Electronic Payments
Opportunities for Improvement
• Better protection from insider attacks and human error
• 6 million small merchants have trouble managing 233 “best practices” aka “requirements”
• No silver bullet, but reasonable capital investment is preferable to permanent high overhead costs
The Future of Secure Electronic Payments
• Let’s get rid of tampering – encrypt the magnetic stripe when possible and encrypt at earliest point of entry everywhere else
• How to Pay For IT? Reduced cost of compliance Reduction of potential liability Carrot and Stick from Card Brands
• Stop the over-the-top criticism of PCI compliance – not credible
• Stop the attacks on credit interchange – not credible
• Recognize the difference between interchange for credit and for debit
• Recognize the difference between fees to the card brands and
interchange to the card issuers
A Few Humble Suggestions for a More Effective Approach
Thank You