290 likes | 355 Views
The Future of Secure Electronic Payments San Diego August 10, 2009.
E N D
The Future of Secure Electronic Payments San Diego August 10, 2009
This presentation contains statements of a forward-looking nature which represent our management's beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors, including without limitation, the impact that the significantly unfavorable economic conditions confronting the United States may have on our business, the results and effects the security breach of our processing system may have on us, including the costs and damages we may incur in connection with the claims arising from such breach that have been made and may in the future be made against us, the extent of cardholder information compromised and the possibility that such security breach could cause us to lose customers or make it difficult for us to obtain new customers, the possibility that we may not be successful in developing and implementing an end to end encryption solution, the possibility that if we are successful in developing and implementing an end to end encryption solution it may not prevent future security breaches of our payment processing system, and additional factors that are contained in the Company's Securities and Exchange Commission filings, including but not limited to, the Company's annual report on Form 10- K for the year ended December 31, 2008. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this presentation.
What Is The Problem? The Cybercrimes Arms Race Who Is Heartland Payment Systems? What Happened and What Has/Will It Cost? What Did We Do About It and What Are We Doing Now? Massive Quantity/Quality of Breaches Call for Enhanced Solutions Our New Solution Called E3 – End-End Encryption This Is A Crisis and We All Need to Work Together A Few Humble Suggestions Topics / Agenda – The Future of Electronic Payments
Escalation of more and more effective spear phishing/injections/etc. Compliance Is Not Enough Assessments Are Not Worth Much Hijacking internet domains – Network Solutions Massive zero-balance ACH fraud The financial systems infrastructure needs to be and will be upgraded! The Cybercrimes Arms Race
Any terrific service people who save data against company policy to help customers – no harm intended? Any IT people who work around some of the inconveniences of required security that are admittedly good for everyone else? Any C-Level folks (IT or otherwise) who don’t want to follow stringent password or other security policies so get hard-coded work-arounds? Certain there is no Black Hat in your employ? Any employees/consultants with access who might be tempted with a bribe? Your Protection Against Potential Insider Attacks
Heartland Payment Systems – What is Our Business? • Card processing • Credit/debit/prepaid cards: • Process 11 million transactions a day • Process over 4.2 billion transactions annually • Fund accepting merchants over $80 billion annually • Payroll processing (small competitor to PayChex and ADP) • Check 21 processing (electronic depositing of scanned checks) • Online payment processing • MicroPayments – vending, laundry, campus solutions • Gift cards and loyalty programs
Heartland Payment Systems 12 Years Ago ... And Today • 1997 (1st Trans 6/15/97) July 31, 2009 • 2,350 clients 250,000 clients • 25 employees 3,109 employees • #62 in US #5 in US … #9 in world • $0.4 billion portfolio $80 billion portfolio
1 2 3 4 5 6 7 8 9 10
Heartland Service CenterHPY owned – 650 employees – 35 acre site across Ohio River from Louisville, KY
Net Revenue Net Income EPS 1.08 41,840 0.90 383,708 35,870 0.71 28,544 294,771 0.50 245,652 19,093 0.26 186,486 137,796 8,855 5 Year Financial Results 2004-2008 11
Financial Strength • Balance sheet – 12/31/2008 • Cash on hand – $49.6 MM • Debt – $75 MM • Equity – $179.2 MM • Assets – 463.6 MM • Income Statement – 2008 • Gross receipts – $1,545 MM • Pre-tax income – $70.6 MM • After-tax income - $41.8 MM • A Fortune 1000 company in 2010? • (missed in 2009 by 0.2%)
Winter-Spring 2008 Sniffer attack on Hannaford announced – changed the game! HPS creates dedicated Chief Security Officer/fills position April 30, 2008 – HPS passes sixth consecutive PCI DSS assessment by largest QSA Mid-May 2008 – Penetration of payments network Possibly related to attack in very late 2007 on customer-facing web page Detected within 48 hours/no payment data implicated What Happened?
Late Oct. 2008 – Informed by card brand that issuers suspected potential breach of one or more processors HPS requested sample fraud transactions Many sampled transactions never touched our payment network Nine weeks following Oct. 2008 inquiry Despite ongoing investigation by Heartland and two separate forensic companies, no evidence of an intrusion discovered Jan. 9, 2009 – Forensic companies advised they had nearly completed their investigations and found no problems; final reports expected shortly Jan. 13-20, 2009 – Discovered suspicious malware and learned of breach Notified law enforcement, card brands Public announcement What Happened – The Investigation and the Announcement
~50% reduction in market cap (~$400MM) 1H09 – $32 million in expense including Forensics Legal Visa Fine < $1MM MasterCard Fine ~$7MM Settlement offer 2H09 and Beyond – to be determined What Has It Cost Heartland?
Contrary to Industry Speculation, the Cost Is NOT Acceptable Issuing Banks Customer attrition Cost of reissuing and monitoring for fraud Fraud And… Electronic payment industry worries about lost consumer confidence (All stakeholders in the electronic payment system) What Has/Will It Cost Issuing Banks and Other Stakeholders?
Additional security enhancements Complete reimaging of servers Additional network segmentation More intense monitoring More intense DLP efforts Vontu Everything else the card brands requested Follow probation requirements Requested meetings with the card brands Requested meeting with PCI SSC officials Worked non-stop to obtain recertification What Did We Do About It?
Before learning of our breach (after sniffer attack at Hannaford) Speaking out about need for improved systems Federal Reserve Bank of Philadelphia Panel Merchant Advisory Group Verifone User’s Conference Began developing end-to-end encryption solution Asked ANSI X9 – F6 to develop end-to-end encryption standard After learning of our breach Formed FS-ISAC / PPISC and distributed malware and attack vectors Focused on ramping up end-to-end encryption development Ramped up ANSI X9 – F6 leadership What Were We Doing Before & What Are We Doing Now?
Knowledge of security threats should not be viewed as a competitive advantage. Heartland’s approach: Collaborate with private and public bodies to address information security gaps in the payments processing ecosystem Demonstrate that protecting consumer and merchant data is a better competitive edge than hiding threats to our security The Bigger Picture
1001110001110101001010101011000101010100010101 1001110001110101001010101011000101010100010101 The Heartland E3 Terminal 110101010100001110100010101100010101011001010010010110100010101011010101000101010101000011101010101000011101000101011000101010110010100100101101000101010110101010001010101010000111010101010000111010001010110001010101100101001001011010001010101101010100010101010100001110101010100001110100010101100010101011001010010010110100010101011010101000101010101000011101010101000011101000101011000101010110010100100101101000101010110101010001010101010000111010101010000111010001010110001010101100101001001011010001010101101010100010101010100001110101010100001110001011011 Heartland Confidential
Physical Security • HPS E3 terminal is a multi-level TRSM • Tamper response and resistance • Battery-backed switches, epoxy, wire mesh, etc. • Protect the PCB (printed circuit board) and processors Wire Mesh Wire mesh enables tamper response and protects the keypad, PCB and processors. Heartland Confidential
Offline Encryption, Centralized DecryptionUsing IBE & FPE 1. Random FPE Key = 0x12a36cde87fa6d3c10896d3e2c85003b 2. KMB = IBE-Encrypt(Public Key, Random Key) 3. Save KMB to TRSM Card Brands 4. Encrypt PANs using Random Key 1234-5678-6543-3214 -> 5673-4678-9012-3678 6803-3467-5012-2456 -> 7208-3892-1087-6444 3890-7384-5901-2654 -> 9645-0123-8911-6328 … POS 6. Decrypt only when Card Brands Require (KMB, 5673-4678-9012-3678, 7208-3892-1087-6444, 9645-0123-8911-6328) = (1234-5678-6543-3214, 6803-3467-5012-2456 3890-7384-5901-2654) 5. Transfer KMB + (5673-4678-9012-3678 7208-3892-1087-6444 9645-0123-8911-6328) Processing Center
The Heartland E3 Device Roundup • Heartland E3 POS • Heartland E3 wedge • Heartland E3 insertion reader • Heartland E3 e-Commerce/middleware • Heartland E3 unattended devices • Partnerships with other terminal vendors to bring additional offerings to our merchants Heartland Confidential
PCI DSS is a good standard and is properly required by the industry Enhancements to Consider Better Authentication Is Preferred Chip and Pin Tokenization solutions End-to-end encryption solutions New solutions The Future of Secure Electronic Payments
Opportunities for Improvement Better protection from insider attacks and human error 6 million small merchants have trouble managing 233 “best practices” aka “requirements” No silver bullet, but reasonable capital investment is preferable to permanent high overhead costs The Future of Secure Electronic Payments
Let’s get rid of tampering – encrypt the magnetic stripe when possible and encrypt at earliest point of entry everywhere else How to Pay For IT? Reduced cost of compliance Reduction of potential liability Carrot and Stick from Card Brands The Future of Secure Electronic Payments
Stop the over-the-top criticism of PCI compliance – not credible Stop the attacks on credit interchange – not credible Recognize the difference between interchange for credit and for debit Recognize the difference between fees to the card brands and interchange to the card issuers A Few Humble Suggestions for a More Effective Approach