Heartland Data Security Breach- what they didn’t say

When your read their press release, their is barely a hint that any harm occurred.  But what the press release doesn’t spell out is the data that has been compromised and how it was compromised.

Visa and MasterCard received reports of fraudulent card use by their issuing banks last November and subsequently notified Heartland, according to a Washington Post report. Heartland didn’t even realize they had a problem.

The problem was internal. It was not an external attack, but the result of spyware being placed within their own internal systems.  Heartland’s CEO says a piece of spyware stole payment card data as it passed through the company network. Everyone passes encrypted data to their processor, but what happened to the data once it reached Heartland? Why is this an important difference? We like to think our databases our secure from certain outside hacker attacks into companies that have installed specific systems and software solutions for protection. If an outsider can hack into a secure system that has done everything correctly, then the world of data security is lost.

You really have to read between the lines to figure out what was compromised. Their press release is all about what wasn’t lost. Those behind the breach intercepted and stole the so-called Track 2 data from the magnetic stripe on the back of cards, which is all that’s needed to create counterfeit cards.

IMPLICATIONS FOR CONSUMERS:

If you visited a merchant who uses  Heartland for payment processing, and you have no way of knowing this, your card data may have been compromised. Your card could be cloned and presented for payment to other merchants. Identity theft is not expected to be an issue. Watch your statements for improper activity or replace your card. Heartland has over 250,000 merchants, many of whom are restaurants and hotels. Consumers have no financial liability.

IMPLICATIONS FOR MERCHANTS:

Merchants have no financial liability. Merchants may have to download a software update, though there has been no release of any information related to this from Heartland yet. It’s possible there may be none. If a download is needed, this could be a nightmare with so many merchants needing to simultaneously update. Since many use third party solution in the restaurant industry, the burden shifts to those third party suppliers in some cases.

Do merchants have an obligation to notify customers? No, the data breach is not theirs and they would have no way of knowing personal information about their shoppers.

Should merchants change processors. That’s a personal decision. Read the next section.

IMPLICATIONS FOR HEARTLAND:

What will it cost? If a merchant is non-compliant at the time of a breach, merchants can be fined up to $500,000 per incident and face remediation costs between $90 and $302 per card. With over 100,000,000 transactions monthly, there are probably at least that many cards exposed- do the math. The cost could be astronomical unless they are protected by safe harbor.

Safe Harbor

Visa defines safe harbor as the following:
“Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise. To attain safe harbor status:

1. A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.

2. A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.”

If they are protected by Safe Harbor, they still must pay to replace all cards.

If they are not protected by Safe Harbor, can they afford the fines and costs? If not, what will happen to the merchants processing with them?