Heartland CEO On Why Retailers Keep Getting Breached

Robert Carr, chairman and CEO of Heartland Payment Systems, says lack of end-to-end encryption and tokenization were factors in recent data breaches.

Heartland Payment Systems chairman and CEO Robert Carr could be considered a rare breed of executive these days. Hes been outspoken about the massive data breach the firm suffered on his watch in 2008 that exposed 130 million US debit and credit card accounts -- the largest breach ever recorded at the time. And in a new breach era when some corporate executives such as
former Target CEO Gregg Steinhafel
have lost their jobs over high-profile breaches, Carr is still firmly at the helm of the payment processing firm.
Carr
led Heartlands adoption of technologies
like end-to-end encryption, tokenization, and EMV chip-and-pin payment card technology to shore up its security after the breach. We took a position in 2009 that were not going to clam up and try to point the fingers at somebody else, he told Dark Reading today. That most definitely helped us a lot.
He has watched the wave of record-breaking retail breaches over the past year, and he says theres a common theme. Whats happening in the meantime is, even though solutions are being introduced, encryption being one we [adopted]… a lot of companies havent implemented the basics, and they are paying the price for it.
Big data breaches keep occurring because companies arent investing in the proper security, such as end-to-end encryption and tokenization, Carr says. The people responsible for spending the money necessary to be safe arent spending the money. They dont take it seriously. What Ive been saying for years is that its going to continue to get worse, because the pool of victims not doing anything or doing enough is shrinking slowly.
Merchants that think theyre too small to be a target will be hit as well, he says, especially as the Tier 1 merchants continue to step up their security game and raise the bar for cybercriminals.
Heartland paid out hundreds of millions of dollars to banks and payment card brands in the wake of its breach. Carr contends that the breached company itself should be held liable, not the payment card firms or other partners. The Heartland breach was our responsibility, he says. I think liability needs to be held by the breached party. Otherwise, theres no other way to police anything.
Blaming MasterCard and Visa for not phasing out magnetic stripe cards a long time ago is a separate argument. Today, if a merchant doesnt do the minimum work to avoid a breach, then they are going to get breached. Its just a matter of when.
EMV or chip-and-pin payment card technology, end-to-end encryption, and tokenization are the key technologies merchants should be adopting. These solutions are pretty readily available today.
The move to chip-and-pin payment card technology -- where smart cards with embedded microchips authenticate the users identity -- is forcing merchants to change out their hardware and thereby spend money to get the equipment they need to get the [card] data out of their systems, he says. If you make that hardware change, [its] insane if you dont also solve the encryption issue. Put tokenization in to protect yourself on the backend, as well.
A lot of executives have taken the less expensive option of neither swapping out their payment hardware nor encrypting the full data transaction. If the bad guys are intercepting transactions on the way to CPU, if you dont encrypt those and get that data out of the clear, you dont have a solution. But a lot of merchants have bought into that.
Thats not to say Carr doesnt have a few regrets about how his firm handled its data breach and the aftermath, where malware infiltrated the companys payment processing system. There are a lot of things I wish could have happened differently. Frankly, I dont know what we could have done differently.
He cited a forensics assessment his company passed with flying colors just before the breach. We were given a clean bill of health the Friday before our breach in the exam. We found the problem, not the forensics teams. Three forensics teams could not find the problem.
For 90 days, Heartland went back and forth with MasterCard and Visa over who was actually breached. He says there was plenty of confusion during that period, and Heartland wasnt looped in on all the investigation specifics. Heartland later confirmed that the breach had begun in June 2008 and ended sometime that August, but the company didnt learn of the attack until January 2009.
Everybody got a lot smarter about handling these breach investigations since then, he says.
Carr occasionally gets asked for advice from newly breached retailers. I tell them were a processor, youre a merchant. Your situation is completely different from ours. But heres what we did -- take what makes sense for you.
[Yet another point-of-sale (POS) breach at a major retail chain, and the victim adds encryption. Read
Breached Retailers Harden PoS, For Now
.]
Meanwhile, Carr is skeptical that cyberinsurance is the answer for protecting firms from breach costs. It gives a false sense of security. Read the exclusions page.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Heartland CEO On Why Retailers Keep Getting Breached