Company Release - 01/20/2009 09:00

No merchant information or cardholder Social Security numbers compromised.

PRINCETON, N.J., Jan. 20 /PRNewswire-FirstCall/ — Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained.

“We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands,” said Robert H.B. Baldwin, Jr., Heartland’s president and chief financial officer. “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.”

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

After being alerted by Visa(R) and MasterCard(R) of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.

Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

Heartland has created a website - www.2008breach.com - to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.

“Heartland apologizes for any inconvenience this situation has caused,” continued Baldwin. “Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective.”

About Heartland Payment Systems

Heartland Payment Systems, Inc., a NYSE company trading under the symbol HPY, delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide.

Heartland is the founding supporter of The Merchant Bill of Rights, a public advocacy initiative that educates merchants about fair credit and debit card processing practices. For more information, please visit www.heartlandpaymentsystems.com and www.MerchantBillOfRights.com.

Forward Looking Statements

This press release may contain statements of a forward-looking nature which represent our management’s beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors. Information concerning these factors is contained in the Company’s Securities and Exchange Commission filings, including but not limited to, the Company’s annual report on Form 10- K, or Form 10-Q as applicable. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this release.

For More Information:
Nancy Gross
Phone: 215.519.7367
Email: Nancy.Gross@e-hps.com
SOURCE Heartland Payment Systems, Inc.

Data Security Compliance Requirements Aligned Across Visa Regions

San Francisco, CA, November 10, 2008

Visa Inc. (NYSE: V) today announced global mandates for compliance with the Payment Card Industry Data Security Standard (PCI DSS), creating a consistent framework for compliance among merchants, service providers and their agents.     

 

The enhancements include a global set of requirements for merchants to validate their compliance with PCI DSS; and for the largest merchants, dates by which they must achieve validation.  Deadlines are also set for large and mid-level merchants to demonstrate that they are not storing certain types of sensitive card data.  Service provider levels and PCI DSS validation requirements have likewise been aligned under a global standard and compliance timeline.  Compliance with PCI DSS will help protect businesses from financial and reputational harm that often results from cardholder data compromises.  Visa data security compliance programs have provided compelling incentives for merchants and agents to properly secure cardholder data. 

The new framework establishes the minimum requirements for Visa Inc. regions.  As an independent company and licensee of Visa International for the business operations in European markets, Visa Europe’s PCI DSS framework requires compliance validation and risk mitigation for Level 1 merchants; however the region will be adhering to a different timeline and process for executing compliance validation. 

“Compliance with PCI DSS is vital to ensuring the integrity of the global payments system,” said Eduardo Perez, head of global data security, Visa Inc.  “Aligning compliance programs across the Visa regions is the latest step in our commitment to safeguarding cardholder data.” 

MERCHANT VALIDATION REQUIREMENTS

Alignment of Merchant Levels and PCI DSS Validation Requirements
A comprehensive set of international security requirements for safeguarding cardholder data, PCI DSS was developed by Visa along with the four other founding payment brands of the PCI Security Standards Council.  Compliance is required of all merchants and any entity that stores, processes or transmits cardholder data. 

Validation of compliance is part of that process, with validation requirements varying for merchants based on factors such as transaction volume.  Visa has globally aligned merchant levels and annual PCI DSS validation requirements as follows: 

Level / Tier 1		Merchant Criteria		Validation Requirements
1		Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2		Annual Report on Compliance (”ROC”) by Qualified Security Assessor (”QSA”) Quarterly network scan by Approved Scan Vendor (”ASV”) Attestation of Compliance Form
2		Merchants processing 1 million to 6 million Visa transactions annually (all channels)		Annual Self-Assessment Questionnaire (”SAQ”) Quarterly network scan by ASV Attestation of Compliance Form
3		Merchants processing 20,000 to 1 million Visa e-commerce transactions annually		Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form
4		Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually		Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by acquirer

¹ - Compromised entities may be escalated at regional discretion
² - Merchant meeting Level 1 criteria in any Visa country/region that operates in more than one country/region is considered a global Level 1 merchant.  Exception may apply to global merchants if no common infrastructure and if Visa data is not aggregated across borders; in such cases merchant validates according to regional levels.

 Acquirers are responsible for their merchant customers’ compliance and must provide regular compliance status reports to Visa on their Level 1, 2 and 3 merchants at least twice a year. Compliance validation guidelines for Level 4 merchants will be determined by their respective acquirers

Prohibited Data Storage Deadline for Level 1 and 2 Merchants - September 30, 2009
Visa will require confirmation from acquirers by September 30, 2009 that their Level 1 and 2 merchants do not retain sensitive payment card data such as full magnetic stripe (also known as track data), security codes or PIN data after transaction authorization. 

“Hackers are looking for this type of data because of its use in counterfeiting payment cards, and that is why Visa prohibits its storage,” said Perez. 

After the deadline, Visa will impose appropriate risk controls, up to and including acquirer fines for failure to provide an attestation form to Visa confirming that each of the acquirer’s Level 1 and 2 merchants do not retain prohibited data.  The September 30, 2009 deadline does not supersede any applicable earlier regional deadlines and related enforcement programs previously established. 

PCI DSS Compliance Validation Deadline for Level 1 Merchants - September 30, 2010
Visa will require acquirers to provide an Attestation of Compliance for each of their Level 1 merchants demonstrating that each has validated full PCI DSS compliance by September 30, 2010.  After that date, Visa will impose appropriate risk controls, up to and including acquirer fines for failure to provide an attestation form to Visa confirming that each of its Level 1 merchants has validated full PCI DSS compliance.  The September 30, 2010 deadline does not supersede any applicable earlier regional deadlines and related enforcement programs previously established. 

SERVICE PROVIDER VALIDATION REQUIREMENTS

Alignment of Service Provider Levels and PCI DSS Validation Requirements
Effective February 1, 2009, service providers that store, process or transmit Visa cardholder data on behalf of Visa acquirers, issuers, merchants or other service providers will fall into one of two service provider levels:

Level		All Regions		Validation Requirements		Result
1¹		VisaNet processors or any service provider that stores, processes and / or transmits over 300,000 transactions per year		Annual ROC by QSA Quarterly network scan by ASV Attestation of Compliance Form		Included on Visa’s list of compliant Service Providers
2		Any service provider that stores, processes and / or transmits less than 300,000 transactions per year		Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form		Not included on Visa’s list / Confirmation Letter of Receipt2

¹ - Eliminates gateway definition from several existing regional programs
² - May choose to validate as a Level 1 service provider to be included in Visa’s List of Compliant Service Providers

In addition to aligning service provider validation levels globally, Visa will implement a common PCI DSS full compliance validation process for all service providers.  Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form and the “Executive Summary” section of the service provider’s Report on Compliance (ROC) to demonstrate full PCI DSS compliance as a Level 1 service provider.  Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).  Issuers and acquirers are responsible for reviewing the accuracy of the SAQ.

A “List of Compliant Service Providers” is available at www.visa.com  to help issuers, acquirers and merchants identify and use PCI DSS compliant service providers. 

“Standardizing compliance requirements better addresses the security risks in our truly global marketplace and is critical to ensuring the future growth of electronic payments worldwide,” Perez concluded.

Summary of Aligned Framework by Date

Effective Date		Globally Aligned Mandate
February 1, 2009		Effective date for globally aligned Service Provider level definitions
September 30, 2009		Acquirers must attest that Level 1 and 2 merchants do not retain prohibited payment card data subsequent to authorization of a transaction
September 30, 2010		PCI DSS compliance validation deadline for Level 1 merchants

About Visa
Visa operates the world’s largest retail electronic payments network providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron, Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world and Visa/PLUS is one of the world’s largest global ATM networks, offering cash access in local currency in more than 170 countries. For more information, visit www.corporate.visa.com.

EMV is a standard for interoperation of IC cards (”Chip cards”) and IC capable POS terminals and ATM’s, for authenticating credit and debit card payments. The name EMV comes from the initial letters of Europay, MasterCard and VISA, the three companies which originally cooperated to develop the standard. Europay International SA was absorbed into Mastercard in 2002. JCB (formerly Japan Credit Bureau) joined the organisation in December 2004. IC card systems based on EMV are being phased in across the world, under names such as “IC Credit” and “Chip and PIN”. The EMV specification is also the basis of the Chip Authentication Program, where banks give customers hand-held card readers to perform online authenticated transactions.

The EMV standard defines the interaction at the physical, electrical, data and application levels between IC cards and IC card processing devices for financial transactions. Portions of the standard are heavily based on the IC Chip card interface defined in ISO 7816.

The system is not compatible with the original Carte Bancaire smart cards systematically deployed in France since 1992. However, the French Carte Bancaire now also uses the EMV standard.

The most widely known implementations of EMV standard are:

* VSDC - VISA
* MChip - MasterCard
* AEIPS - American Express
* J Smart - JCB

MasterCard has a Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of Modes.

Differences and benefits of EMV

The purpose and goal of the EMV standard is to specify interoperability between EMV compliant IC cards and EMV compliant credit card payment terminals throughout the world. There are two major benefits to moving to smart card based credit card payment systems: improved security (with associated fraud reduction), and the possibility for finer control of “offline” credit card transaction approvals.
The goals and benefits of EMV:
- High level standard on terminal↔card API.
- It reduces the cost and time interval of software development (POS, ATM, HSM,…).
- The non EMV payment smart card has its own crypto protections (RSA, DES) and is based on local private standards.

EMV financial transactions are more secure against fraud than traditional credit card payments which use the data encoded in a magnetic stripe on the back of the card. This is due to the use of encryption algorithms such as DES, Triple-DES, RSA and SHA to provide authentication of the card to the processing terminal and the transaction processing center. However, processing is generally slower than an equivalent magnetic stripe transaction. This is due to cryptography overhead and time involved in messages transmissions between the card and the terminal. The increased protection from fraud has allowed banks and credit card issuers to push through a ‘liability shift’ such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable.

Although not the only possible method, the majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a PIN (Personal Identification Number) rather than signing a paper receipt. Whether or not PIN authentication takes place depends upon the capabilities of the terminal and programming of the card. For more details of this (specifically, the system being implemented in the UK) see Chip and PIN. In the future, systems may be upgraded to use other authentication systems, such as biometrics, which are generally not considered economical as of 2007[update].

Control of the EMV standard

The first version of EMV standard was published in 1999. Now the standard is defined and managed by the public corporation EMVCo LLC.The current members of EMVCo are JCB International, MasterCard Worldwide, and Visa, Inc. Each of these organizations owns one third of EMVCo and has representatives in the EMVCo organization and EMVCo working groups.

Recognition of compliance with the EMV standard (i.e. device certification) is issued by EMVCo following submission of results of testing performed by an accredited testing house.

EMV Compliance testing has two levels: EMV Level 1 which covers physical, electrical and transport level interfaces, and EMV Level 2 which covers payment application selection and credit financial transaction processing.

After passing a common EMVCo tests the software must be tested to comply with EMV standard (VISA VSDC, MasterCard MChip,…).

List of EMV documents and standards

Since version 4.0, the official EMV standard documents, that define all the components in an EMV payment system, are published as four “books”:

* Book 1 - Application Independent ICC to Terminal Interface Requirement
* Book 2 - Security and Key Management
* Book 3 - Application Specification
* Book 4 - Cardholder, Attendant, and Acquirer Interface Requirements

Versions

First EMV standard came into picture in 1996-EMV ’96 Version 3.1.1 Released another version in December 2000 - EMV 2000 Version 4.0 in May 2004

Version 4.0 became effective in June 2004. Version, 4.1 became effective in June 2007. Version 4.2 was published in June 2008.

External link
* [ EMVCo], the organisation responsible for developing and maintaining the standard

Portions of the above definition provided under GNU documentation license. Copyright (c) 2008 3D Merchant Services LLC.
Permission is granted to copy, distribute and/or modify this document ONLY
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

if your company is considering purchasing or leasing new equipment, make sure that it is EMV compliant. The hypercom T7 Plus is just one example of anEMV compliant terminal.