BAI Exclusive: Heartland CIO on Payments Security

Steven Elefant joined Heartland Payment Systems as a consultant in November 2008. Two months later, the company announced it had been the victim of the biggest reported data hack in history.

Now CIO of Heartland, Elefant appeared at the BAI Retail Delivery Conference & Expo in Boston and sat down with Tom Field to discuss:

The impact of the breach on Heartland;
How Heartland is different today as a result of the breach;
The future of payments security - and why Heartland is betting on end-to-end encryption.

Elefant was the founder of several successful Silicon Valley startup and venture capital firms. He is co-founder and former chief executive officer of ICVerify, Inc., a leader in payments processing integration of PC-based POS software. The company merged with CyberCash, Inc. in 1998 to form an Internet and physical service provider for electronic payments software.

He has been an active member of the US Secret Service Electronic Crimes Task Force for more than six years, as well as the Federal Bureau of Investigation's Infragard Electronic Crimes Task Force for the past five years.

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking with Steve Elefant, the Chief Information Officer with Heartland Payment Systems. Steve, thanks for joining me.

STEVE ELEFANT: My pleasure, Tom.

FIELD: We are here at the BAI Retail Delivery Conference and Expo; you are here for the week. What are your impressions so far? What are people talking about?

ELEFANT: They are talking about the changes in the industry that are going on, especially for us, talking about things that we are doing with end to end encryption, trying to increase security in the payments world.

FIELD: End to end encryption has been a big topic this year, the payments world has been a big topic, Heartland has been a big topic. Now certainly we have talked about Heartland and its impact upon financial institutions and what customers have had to say. What has the Heartland breach been upon Heartland and people like yourself that work there?

ELEFANT: It has certainly been a challenging year, but I think for the most part we have looked at this as an opportunity to really increase security for the industry and really start to change ... how we secure transactions and how we share information.

FIELD: Steve, how would you say, from your perspective, Heartland is different today in how you operate and the team operates than maybe a year ago?

ELEFANT: You know, Heartland has always been security focused. I came in shortly before the breach, and I found that there are over 400 IT professionals that are in the organization that are very focused on keeping our customers and ourselves secure. I think we upped the vigilance even more, and we are in the process of trying to use the Tylenol analogy -- you know, where Tylenol got their bottle breach in the 80's and came out with a tamper resistant bottle, we are coming out with a tamper resistant terminal for the first time on Heartland's own terminal.

FIELD: Steve, just for some context, why don't you tell us a little bit about yourself and how you came to Heartland. And then you talked a little bit about the size of the organization; it would be nice to know sort of the scope of the organization you oversee.

ELEFANT: Sure. I have been in the payments world for 25 years. I started with a company called ICVerify back in the 80's, which was the first PC payments software and ramped that up to 250,000 merchants in 21 countries and half a dozen languages around the world, and then merged that with CyberCash, and I was the Vice Chairman of CyberCash and then went on to do a number of other start ups, both in payments options and venture capital prior to joining Heartland. I have known about Bob Carr, the CEO of Heartland, since I started with ICVerify back in the 80's, so for over 20 years, and it was a [good] opportunity to come in and create another paradigm shift. What Bob created with Heartland is a very impressive organization. We have 3,100 employees, we do 4.2 billion transactions a year, we do not only credit card processing ... And I am more of a nontraditional CIO, so I am not dealing with the plumbing as much as products, so I am now responsible for products strategy, business development.

FIELD: So you come more from the business side than from a tech side?

ELEFANT: Both. I am often accused of being a techie.

FIELD: Now, you talked a little bit about end to end encryption, about Heartland's solution. What do you see as the future of payments processing based on lessons learned and where the industry is today?

ELEFANT: I think it is--what we are really focused on is called a one, two, three punch now where we have combined what is called dynamic data authentication, which is basically taking a digital fingerprint of the card, and this helps combat skimming of cards and then cards being created with that data, and then combining that with end to end encryption and beyond that what we will term as back office tokenization. So completely taking the credit card number out of the payment stream, so that merchants never have to touch it, and therefore their PCI responsibilities can be greatly diminished.

FIELD: Now what it is going to take to get from where we are today to get to that point? What does it require?

ELEFANT: Well we have been working really hard for the last -- actually before I got to Heartland, they had already been working on it, but for the last year that I have been there, and we launched our data for beta for end to end encryption at the end of June, and we have been running that since then and we plan on releasing that to our sales personnel and our merchants, the end to end encryption system by the end of the year.

So for the merchant it is an upgrade of a terminal or a magcard reader or a signature capture device or whatever it may be, it is a one-time charge. You know, Heartland fundamentally believes that merchants should not have to pay more to be secure, and there seems to be a large diversity of opinion on that right now. There are some people that look at this as an opportunity as they are securing the industry to charge merchants more, and we just don't believe that.

So you know, our hardware is competitively priced with anything that is on the market today, but a lot more secure, and once you upgrade the hardware there are no transaction fees, additional fees, taxes, it is a one-time upgrade. And we know that merchants don't want to spend more money in a tight economy on hardware, so having done this for 25 plus years I think it has to meet sort of two basic criteria for a merchant to want to spend money. It has to ease their pain, and it has got to save them money, and ultimately I think end to end encryption, back office tokenization, and the digital fingerprint will do that for them.

FIELD: What are the challenges to go through? I mean, you hear a lot of people talking about tokenization versus end to end encryption. What are the objections you are going to have to overcome?

ELEFANT: For Heartland, most of our merchants are in the physical retail world, so it is a card/card present and we have some card/card not present business, but in the card present world it is pretty straight forward that they adopt this kind of a solution. Tokenization as an example, is a good solution for the card not present world, but in the card present world the bad guys got really smart and they look for the weak links of the edges, and I see a lot of end to end solutions out there that people are talking about as being end to end and when they peel the onion back I find oftentimes that they are not end to end, they are really point to point. So it may be secure from a terminal to a store controller, from a store controller to a gateway -- but that is not end to end, that is point to point.

So what we mean by end to end is from the time that the digits leave the magstripe and you are converting that analog magstripe into digital zeroes and ones, all the way through a terminal over the wires through our process network until we securely deliver that to the brands. That is truly end to end with very strong encryption in the middle using AES encryption. So tokenization on the back end makes a lot of sense; on the front end, if you have to get it from a terminal to a token server it is exposed. So yes it is certainly better than what is being done today, but is it good enough? We don't think so, at least in the physical card present world.

FIELD: So, we are here at the BAI event, what are the things you are here to be talking about with customers and the constituency at the event?

ELEFANT: The main focus for us is securing the transaction flow and offering additional value added with the services that Heartland provides.

FIELD: What are the things you are hearing people talking about so far?

ELEFANT: Everybody's talking about the economy as usual, but in the technology realm I think that most of the questions that we are getting really focus around PCI -- you know, how can they reduce the PCI burden and not have to be in the realm of constantly policing credit card numbers when the merchants want to focus more on their business?

FIELD: Well, Steve, I appreciate your time and your insight. and I hope that your second year at Heartland is, let me say, less eventful than your first year.

ELEFANT: Thank you very much, I appreciate it, Tom.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.