Based on an interview with Heartland Payment Systems CEO Robert Carr, Rachael King writes for BusinessWeek about lessons learned during the Heartland data breach that began in 2008 and was discovered and announced in January 2009.

Heartland Payment Systems has announced that yesterday it successfully completed the first phase of its end-to-end encryption pilot project. According to the company, "this first step involved the transmission of live AES (Advanced Encryption Standard)-encrypted card transactions from a merchant to Heartland’s processing platform. AES is the highest level of encryption and is currently on track to replace DES (Data Encryption Standard) and Triple DES as the desired standard for sensitive data."

Earlier this month Heartland announced it was working with Voltage Security to develop its end-to-end encryption approach. READ MORE

Mercator Advisory Group has published a new report, End-to-End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance that "explores end-to-end encryption (E2EE) in the hands of merchants, payment service providers and processors. In the face of the three bogies of PCI DSS compliance and penalties, reputational risk and direct financial loss, the acquiring half of the payments process is evaluating options for eliminating cleartext cardholder data from their systems. Tokenization (the subject of a recent Mercator report) and end-to-end encryption are the leading candidates. This report examines the complexity of E2EE within payments and enterprise security." READ MORE

Merchant Link has announced that it will offer later this year its TranactionVault hosted credit card security product and service to users of the latest version of the MICROS OPERA Property Management System (PMS). READ MORE

Heartland Payment Systems has selected Voltage Security as a partner to develop end-to-end encryption (E3) software specifically suited to payments processing.

“Heartland is developing a complete end-to-end encryption solution designed to protect cardholder data at all stages of a transaction – from card swipe through delivery to the card brands,” said Bob Carr, Heartland’s chairman and chief executive officer. “Together with Voltage, we are developing a comprehensive solution that currently does not exist.” READ MORE

A new research report titled "Protecting Personal Information: We Lost the Battle, Can We Win the War?" by TowerGroup declares that the financial services industry has lost the battle to protect consumers' personally identifiable information (PII) data. TowerGroup's George Tubin points out that "in light of the loss or theft of hundreds of millions of data records containing PII, the financial services industry must consider the ramifications of past, present and future data losses." READ MORE

ThreatMetrix has unveiled a new mobile security application for smartphone users called SafeAndSurf - a web browser that securely stores a smartphone user's personal data until he or she is ready to sign-on to a social network, execute an online banking transaction, or complete an ecommerce purchase. According to the company, "SafeAndSurf is the only mobile security application to safeguard a smartphone user's personal information and also allow the user to automatically insert that information to transaction data fields, a combination that allows consumers to shop, bank and play on their smartphones more safely and easily." SafeAndSurf is available today for use on the Apple iPhone. READ MORE

The Payment Card Industry (PCI) Security Standards Council must take the lead in developing a collaborative approach with merchants in defining more open standards for future PCI Data Security Standard (DSS) requirements, stressed NACS (the National Association of Convenience Stores) and several other trade associations in a June 8 letter to the Council. READ MORE

Voltage Security has introduced the Voltage Data Breach Index, a single at-a-glance view into the state of national and global data breaches.

According to Voltage, "the visual map brings data breach reporting to life, summarizing historical and real-time breaches, size and scope, types of records, regions affected, industry and more. Perhaps most interesting is that patterns in the data enable the creation of a predictive data breach model. This model predicts, for example, that 14 data breaches will, over the next year, each expose 1,000,000 or more records to potential use by criminals. And, at least one breach of over 10,000,000 records will affect nearly 5 percent of the U.S. population." A white paper is also available.

Hypercom, Ingenico, and VeriFone have announced the formation of the Secure POS Vendor Alliance - SPVA, a non-profit business organization chartered with implementing common payment security standards among vendors of secure point-of-sale (POS) devices used by retailers, acquirers and cardholders alike. READ MORE

More electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime, according to the "2009 Verizon Business Data Breach Investigations Report" released today. Full press release here. READ MORE

The US House of Representatives Subcommittee on Emerging Threats, Cybersecurity and Science and Technology is holding a hearing today on the subject: "Do the Payment Card Industry Data Standards Reduce Cybercrime?". Witnesses include representatives from the US Department of Justice, the Payment Card Industry Data Security Standards Council, Visa Inc., Michaels Stores, and the National Retail Federation. A webcast is available.

The Bank Fraud Forum Blog has been launched by Memento Security.

Fraud is a serious issue that deserves serious discussion. The Bank Fraud Forum℠ has two primary objectives: 1) to convey insights, opinions and comments on the world of financial crime, and 2) to serve as an open, albeit virtual, forum for the fraud fighting community. Our goal is to offer intelligent, timely and thought-provoking analysis of trends, news, best practices and more.

Visa chief enterprise risk officer Ellen Richey told security experts today that payment card data fraud rates remain near historic lows despite economic woes and high-profile compromises, and called for continued industry investment, collaboration and innovation, three key components in keeping the electronic payment system secure in the future. She made her comments to a gathering of business, government, academic and law enforcement officials at Visa's Global Security Summit, its third cross-functional symposium on payment security, held in Washington, DC. READ MORE

Voltage Security has announced major enhancements to Voltage SecureData, supporting more environments and platforms, including end-to-end encryption across distributed environments such as those used by retail and payment processors. "Voltage customers are finding it easier to protect their data end-to-end, comply with regulations and protect sensitive customer information from the moment it is collected." READ MORE

Kimberly Kiefer Peretti of the Computer Crime and Intellectual Property Section of the US Department of Justice has authored a paper titled "Data Breaches: What the Underground World of “Carding” Reveals" to be published in the Santa Clara Computer and High Technology Journal. READ MORE

Heartland Payment Systems has announced that "it has formed an internal department dedicated exclusively to the development of end-to-end encryption to protect merchant and consumer data used in financial transactions. For the past year, Robert O. Carr, Heartland's chairman and chief executive officer, has been advocating for payments industry adoption of this technology - which will protect data at rest as well as data in motion - as an improvement for payment transaction security." READ MORE

With all of the news this week surrounding the payment card data breach at Heartland Payments Systems, we've added a new section to the Payments News Bookstore with several new books covering the topic of PCI-DSS (Payment Card Industry-Data Security Standard) compliance. If you're aware of any we've missed, please send us Feedback and we'll add them to the bookstore.

In addition to these books about the subject, the PCI Security Standards Council website is a great starting point for learning more about PCI-DSS.

Heartland Payment Systems issued a press release today saying that it had "added more than 400 merchants to its client base in the past few days - exceeding results for the same period from last year" - and including a statement from founder, chairman and CEO Robert O. Carr on the response his organization has made to the announcement earlier this week of a payment card data breach at Heartland. READ MORE

Eric Dash and Brad Stone report for the New York Times on the payment card data breach announced yesterday by Heartland Payment Systems. The compromise may have occurred as early as last May but wasn't detected until late last fall.

The Heartland breach also showed that in spite of the adoption of more stringent standards and tougher oversight by banks and credit card companies, consumers are still vulnerable."

Heartland Payment Systems has announced it has learned it was the victim of a security breach within its processing system in 2008. Heartland says it "believes the intrusion is contained." The company has created a website for "to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers."

Brian Krebs reports for the Washington Post that the breach "may have led to the compromise of more than 100 million credit and debit card transactions."

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

Fireman’s Fund Insurance Company has announced the introduction of what it's calling "the first coverage for retailers that experience a breach of their payment card security system." READ MORE

[Reposted from my personal blog: www.sjl.us]

I happened to hear from Peter Wayner that he's got new editions of both his Disappearing Cryptography (third edition) and Translucent Databases (second edition) now available.

Disappearing Cryptography is available from Amazon while it looks like Translucent Databases, for the moment anyway, is only available on the publisher's web site.

Ingenico has announced a new open architecture security enhancement, the Ingenico On-Guard solution, that the company says "will encrypt cardholder data from the transaction terminal to the merchant host, thus adding a significant security layer to card transactions that used to communicate in the clear. The new solution will be available on the Ingenico terminals sold in North America." READ MORE

In a press release titled "RBS WorldPay Announces Compromise of Data Security and Outlines Steps to Mitigate Risk", RBS WorldPay (formerly RBS Lynk), the U.S. payment processing arm of The Royal Bank of Scotland Group, announced that its computer system had been improperly accessed by an unauthorized party in early November.

According to more information provided on the RBS Worldpay web site, "the issue affected pre-paid cardholders and other individuals. Approximately 100 payroll cards have been used in a fraudulent manner and those cards have been de-activated. Our internal security professionals and outside experts are working with federal and state law enforcement authorities in an investigation of this event."

The Payment Cards Center of the Federal Reserve Bank of Philadelphia has published a new discussion paper titled "Legislative Responses to Data Breaches and Information Security Failures" by Philip Keitel. READ MORE

The Center for Strategic & International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency has released its final report, "Securing Cyberspace for the 44th Presidency" . "The Commission’s three major findings are: cybersecurity is now one of the major national security problems facing the U.S.; decisions and actions must respect American values related to privacy and civil liberties; and only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation."

The PCI Security Standards Council (PCI SSC) has announced that it has launched a quality assurance program for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). According to the PCI SSC, "the new program was designed to provide QSAs and ASVs with a set of requirements that helps ensure they provide consistent, quality validation and assessment services to merchants and service providers." READ MORE

The PCI Security Standards Council, the standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), has announced it will be offering a complimentary webinar, "Understanding PCI DSS Version 1.2,” to be held on Tuesday Nov. 25, 2008 at 11:30 a.m. EST and at 7:30 p.m. EST. The session will be repeated on Wednesday Dec. 17, 2008 at 10:30 a.m. EST and 8:30 p.m. EST. READ MORE

The PCI Security Standards Council (PCI SSC) has announced the availability of a summary of forthcoming changes to PCI DSS as it moves from version 1.1 to the previously announced version 1.2 in October. READ MORE