Heartland Payment Systems is a Fortune 1000 company that handles credit card payment processing and related services for a variety of merchants. In 2008, Heartland experienced what was at the time the largest security breach to date, when attackers made off with as many as 100 million debit and credit cards. MMG spoke with its chief executive, Robert Carr, about heightened security for retailers and pending changes to the industry.
Q: Can you start by telling us a little bit about the company?
A: We provide payment processing and payroll services to about 400,000 business locations around the country. Payment processing is our primary product, and we’re No. 5 in the industry. We’re also in the point-of-sale business and some adjacent industries related to small merchant business activity. We provide the services, so if a merchant wants to take a credit card, we’re one of the people they can call to get set up with the equipment and the service. On a net revenue basis, we’re an $800 million revenue company. The company is 18 years old, and we have about 4,000 employees. So…we’re a middle-market company.
Q: What types of customers do you serve?
A: We have about 140,000 restaurants and about 60,000 (convenience stores and gas stations). And then we have 36,000 K-12 schools. We do the lunch program and handle payments from the parents of student lunches. We have 3,000 universities and community colleges for which we do the student ID cards, tuition payments and cafeterias, and related payments. Those are prepaid cards.
Q: In the wake of your own security breach and the big breaches at Home Depot and other major retailers, how have you changed your business?
A: We were breached in ’08 and we learned about it in ’09. The change we made is we brought encryption to payments in the United States. Up until our breach, nobody was encrypting the transmission of payments through the phone systems and the networks. By July of 2009 we were able to bring that product to market. That pretty much was the main thing we did that allowed us to survive the breach, because we really raised the level of security by a lot.
Now there are still many, many merchants—including Target, Home Depot and everyone you know about that was breached—that have not adopted encryption. And we think it’s foolish for a company to be in the middle of payment processing and not have that data encrypted. It’s not that hard to breach a company if you put millions of dollars of effort into it and have people working day and night to find a weakness. That’s what happened to us.
“It’s not that hard to breach a company if you put millions of dollars of effort into it and have people working day and night to find a weakness. That’s what happened to us.”
Q: Why are retailers so reluctant?
A: There’s a cost factor in changing the equipment, which is swiped. You have to encrypt when the card is swiped. With our breach, our computers weren’t breached, our network was, and that’s what’s happening around the country now. There’s a big move to go to chip readers, and there’s a change in the rules on Oct. 1 of this year. The rest of the world has this chip technology. It’s just coming to America now. If there’s fraud on your account right now because somebody stole your account, the bank that issued your card has to reimburse your loss. Starting Oct. 1, if somebody stole your card from using it at Target, and (Target) didn’t have a reader for your chip, they would have to pay for your fraudulent transaction. As a result, millions of merchants are in the process of changing out their equipment now for chip readers. That doesn’t protect breaches from happening. If it’s a counterfeit card, then it’s a counterfeit card issue. Merchants still need to encrypt their data, in our opinion.
Q: What goes into the process of changing from a non-encrypted system to an encrypted one? Is it just a matter of the point-of-sale equipment?
A: The magnetic stripe card has been here for forever. Even the chip cards that are issued have magnetic stripes. That’s because not every merchant is going to be able to read a chip. To get encrypted, when that card is run there’s a reader that the magnetic stripe gets swiped through, and there’s a device called a TRSM, a tamper-resistant security module, that needs to be installed on that reader. So the card number—which you can read on the front of your card—gets scrambled before it even goes down the line to the computer it’s next to. You have to go in and take apart the reader and replace it. That’s why it’s more expensive. It’s a manageable cost, and since merchants now are going to the chip, they’re having to change out their machines anyway; they should also be changing it out to an encrypting machine.
Q: What are some of the lessons you learned from your own breach?
A: Any business of any size should do everything it can to take private data out of its network—encrypt it or take it out of the network. There is a technology called Out-of-Scope that Heartland has. The credit card information never goes into the point of sale computer. The way these breaches have happened is the bad guys have been able to get inside the point-of-sale computers at the checkout line and steal information right there as it’s being swiped. Now the movement—and we’re sort of a leader in this area—is taking a separate machine. For small merchants, they have a separate machine. It’s a standalone device that’s not connected to the point-of-sale computer. So we’re going back to that approach, only there’s a cable in the standalone device and the computer.
By connecting it the way I just described, the card number goes from the standalone machine directly to Heartland and never touches the vendor’s computer. We send the receipt back to the standalone machine and then we send to the computer the last four digits of the card number and the approval code. So if Target or Home Depot had had that, and they got breached, the bad guys would have had nothing of value to go make counterfeit cards. We’re not the only ones doing it—the other big (service) companies are doing it too.
Q: Beyond technology, are there other fail-safe practices?
A: There are volumes written about best practices through the PCI, the Payment Card Industry. PCI standards are defined by a group of people in the payments business, led by Visa and MasterCard, and all of us are required to live by those rules. We all do and those are very important as well. They don’t prevent breaches.
Q: Where do you see payment processing heading in the next two years?
A: On the iPad and mobile phones—all of that type of thing—the security requirements are different because the technology is different. That’s the big issue that’s going to become more prevalent, and then of course people buying online, that’s becoming bigger and bigger. There, if you think about it, you’re entering your number into a keyboard, and there’s really no way to encrypt it unless you buy a special computer, and most people aren’t going to buy a special computer to do that. It’s called “card not present” business. So the “card not present” world and the mobile technology world are going to become even more important as the next few years go by. //
Robert Carr co-founded Heartland Payment Systems in 1997 and currently serves as the firm’s chairman and chief executive officer, overseeing strategic direction and growth for the firm. Carr’s experience prior to Heartland includes serving as a professor at Parkland College in Champaign, Illinois; working at the Bank of Illinois; and founding a software and consulting firm serving small and midsize businesses.