Heartland Payment Systems announced yesterday that they are taking a much more aggressive posture in response to last years breach of their systems for credit card processing. According to Computer World Heartland has developed an end to end encryption solution utilizing AES to protect card data transmitted to them from the merchants who use them for card processing. Computer World even suggests this is intriguing enough that Visa is interested in adopting it above and beyond the PCI/DSS standard that Visa has a major stake in defining.
As usual, I don’t comment if I don’t believe there are some problems with this situation. Don’t get me wrong, I am very pleased that Heartland is stepping beyond the lowest common denominator and potentially forging a new path in securing consumers information in transit in the North American market. The concern I have is that this “multi-million dollar technology” they have developed is not subsidized to the merchant, creating a dual-tier system where only those with the highest margins can afford to adopt the technology. Additionally, this is only one part of the issue. In general, I do not believe the simple modem-based terminals many merchants use to communicate with Heartland are vulnerable in any serious way to begin with. The bigger issue is Visa, Mastercard, and the other credit card mafioso requiring communications between card processors like Heartland and their networks NOT be encrypted. Good on Heartland, albeit too late to protect those that have already been victimized. Hopefully this will inspire the industry to reconsider its checkered past, and do what we all assumed they already were doing.. The right thing.