Philly FRB: Lessons Learned from Heartland Data Breach
The Payment Cards Center of the Federal Reserve Bank of Philadelphia has published "Heartland Payment Systems: Lessons Learned from a Data Breach," a discussion paper on the Heartland Payment Systems breach.The paper is a summation of a workshop held in August 2009 at the Philadelphia FRB, where Heartland CEO Bob Carr led a discussion of the events surrounding the breach and lessons learned as a result.
Heartland Payment Systems announced on Jan. 20, 2009 that it had been the victim of what is now thought to be the largest breach of card data, an estimated 130 million payment cards taken by hackers over a six-month period.
In his presentation, Carr shared details of the breach and what actions the company and industry are taking. Joining Carr in the workshop was the former director of the Payment Cards Center, Peter Burns, who now is a senior payments advisor to Heartland. They outlined Heartland's post-breach efforts, which are directed to improving information sharing and data security within the consumer payments industry. Carr introduced several technology solutions that are under discussion in payment security circles as ways to better secure payment card data as they move among the different parties in the card payment systems: end-to-end encryption, tokenization and chip technology.
Heartland recently launched its own end to end encryption solution for its merchants and is also active in the development of an industry-wide standard for encryption.
The full report is available for download.