"Responding to its widely reported and massive data breach that tookplace a year ago, Heartland Payment Systems will be moving to anend-to-end encryption system for payment transactions, according toChairman and CEO Robert Carr: 'We're using encryption on the front endto keep card numbers out of our merchants' systems, and to also haveall the card numbers coming through our network be encrypted throughout,except at the point of decryption'. In January 2009, Heartland PaymentSystems reported that it found that intruders had penetrated its systemsand planted software to harvest card numbers, using SQL injectionattacks to plant programs inside the network that would sniff the cardnumbers.
Heartland, which handles more than 4 billion transactions annually formore than 250,000 merchants, will be using Thales nShield Connecthardware security module along with Voltage Security's SecureDataencryption software as the basis of this capability... This new systeminvolves installing a tamper-resistant security module (TRSM) at thepoint-of-sale system. When a card is swiped, the TRSM encrypts thecard's number with a public key using Identity Based Encryption, andit is sent to the Heartland gateway. This new system will offermerchants the capability to encrypt cards so the merchant themselveswill not house the card numbers on their systems at all, explainedTerrence Spies, the chief technology officer for Voltage Security. Mostmerchant payment-processing systems encrypt the PIN number or securitynumbers of cards. The card numbers themselves aren't typically encryptedat the cash registers, also called point-of-sale systems.
Spies: "The HSM controls the process of decrypting the private key...This system will use a technique called format-preserving encryption(FPE), which means the encrypted numbers will be the same length asthe original card numbers, allowing the encrypted numbers to be usedin other database systems as identifiers, rather than the originalnumbers. Heartland piloted a few test systems with merchants last yearand now plans to start offering the service to all its customers.Because moving to the card encryption will require purchasing newhardware for the register, Heartland will offer the end-to-end encryptionas an opt-in... Carr said that if the merchant implements the systemcorrectly and it then suffers a breach involving the leakage of cardnumbers, then Heartland will assume the liability for the breach..." More Info