Sloppy security standards harm consumers, or what has VISA done for you lately?
At some time in 2008, Heartland Payment Systems, Inc., a NYSE company trading under the symbol HPY, and delivering credit/debit/prepaid card processing to businesses nationwide, was breached in a way that exposed up to 1.5 million credit cards to network hackers. (See, Dan Goodin, US credit card payment house breached by sniffing malware (January 20, 2009) www.theregister.co.uk and Press Release: Heartland Payment Systems Uncovers Malicious Software In Its Processing System (January 20, 2009) news.prnnewswire.com.) Heartland then engaged in an effort to spin the breach, lauding the amazing efforts of its employees to deal with the situation and demanding industry date encryption reforms that it should have been using already. (See, Press Release: Heartland CEO Calls for Industry Cooperation to Fight Cyber Criminals and Adoption of End-To-End Encryption (January 23, 2009) www.snl.com and Anthony M. Freed, Hearland Breach Bad As Tylenol Poisonings? (January 25, 2009) information-security-resources.com.)
Meanwhile, at least some questions have been asked about the timing of trades made by Hearland's CEO, as compared to when Heartland first suspected that it had been breached. (See, Anthony M. Freed, Did Heartland CEO Make Insider Trades? (January 29, 2009) information-security-resources.com and Anthony M. Freed, Heartland Update: Reps Respond To Questions (February 1, 2009) information-security-resources.com.) The SEC and other agencies are investigating Heartland following the breach. (Robert McMillan, SEC, FTC Investigating Heartland After Data Theft (February 25, 2009) www.pcworld.com.)
Today, after doing little to publicize the breach, VISA declared Heartland out of compliance with the "Data Security Standards established by the Payment Card Industry Security Council." (Dan Goodin, Visa yanks creds for payment card processing pair (March 13, 2009) www.theregister.co.uk and see Anthony M. Freed, Visa Puts Heartland on Probation Over Security Breach (March 13, 2009) seekingalpha.com.) Frankly, I'm not impressed with the incredible speed of VISA's reaction to this mess. I think it likely that, as Mr. Freed speculates, VISA is more worried about potential inclusion in the Dow Industrial Average than in exposing massive flaws in the transmission and processing of credit card transaction data.
This isn't just a theoretical harm either. People have been arrested for using card data in Florida. (Wauneta Breeze, Three Florida men arrested for using credit card data from Heartland breach (March 13, 2009) www.waunetanebraska.com.) But consumers aren't the only victims. I was notified by my financial institution that my VISA debit card may have been compromised. I called to find out what may meant. At the time, I speculated that the financial institution had been advised of a data breach and was notifying me pre-emptively. Turns out I was right, but I had no idea about the scope of the breach. In any case, I asked for some background and learned that this tiny financial institution had 2,500 customers on the Heartland breach list. They said that they probably incurred about $10,000 in overtime wage expenses just handling the correspondence and new card mailings to customers. I was told that there was little chance that the costs would be recovered.
Considering the state of encryption art and the fact that millions upon millions of people have data stored with companies like Heartland, there is no excuse for not implementing end-to-end, high-integrity encryption of all such data. Eastern European hackers shouldn't be able to load a data logging virus into the network processing credit card transactions. And if the data was encrypted internally at all stages, it wouldn't matter if they did. Consider me not particularly troubled by the fact that Heartland's stock took a dive after this was announced. Instead of worrying about when to exercise stock options, try worrying about keeping our data secure.