Heartland's New Encryption Strategy: Let Them In, But Limit Them

Late this year, databreach victim Heartland Payment Systems will roll out its version of end-to-end encryption, leveraging a Tamper-Resistant Security Module. But the encryption-key strategy behind it is willing to allow cyber thieves to get some data, as long as it's not enough for them to make any money from that information.

Making the hardware technology part work will be comparatively easy, compared with the task of getting retailers to buy in, along with getting the backing of Visa, MasterCard, AmericanExpress and other card brands. Heartland CEO Robert Carr discussed the details of his plan for the first time in a pair of StorefrontBacktalk podcasts, with the first of the podcast series focusing on the technology details of the plan and the second delving into the practical industry political realities of getting such a plan widely used.

Related Column: Is Heartland's End-to-End Move The First Shot In A Processor Lock-In War?

Sometime by the end of September (the end of the third quarter), Heartland plans to start rollout a new security approach to its retailer customers. It's based on attaching a Tamper-Resistant Security Module (TRSM), which is a physical piece of hardware, "within centimeters or less to the magnetic stripe itself. The connection is shielded with" the TRSM, Carr said. "We're also working on an identity-based encryption model and a format-preserving encryption model that will allow us to manage the keys for the merchants that implement this."

(Related Story: Heartland CEO Vows To Fight MasterCard Breach Fines Of $6 Million-Plus)

Carr said that there is a monetary cost to retailers who might choose to make the move, an amount he estimated at between $100 to $300 per card reader. There's an effort cost: "Any change is painful," he said. But beyond the hard and soft costs inherent in this kind of change, the biggest initial hurdle will be convincing retailers that this will actually help make things more secure.

"We're going to ask the retailer to move to a dispute resolution service where the card number is no longer required, where we go to a reference number or other such token number to handle any kind of customer disputes in terms of draft retrieval requests or chargeback issues," Carr said. "We think it's a matter of time before the card brands will accept encrypted transactions as part of the flow."

Heartland has been in discussions with three of the largest card brands and, Carr said, "none of them has yet committed. They're all working on determining the efforts that would be required. But the model that we've introduced into the discussion is the standard model being used to decrypt PINs now. The card brands have indicated a willingness to pursue accepting transactions from those processors who are willing to send encrypted data to their specifications. So no one's agreed to do it yet but the conversations have been positive. I think there is resistance to forcing encryption onto everybody and that's not what we're suggesting."Given the nature of the hardware security module approach, this would only cover in-store and wouldn't help card-not-present transactions.

Probably the most differentiated element of the Heartland proposal involves its approach to key management. At a technical level, it's based on using different keys for different zones, with a modified one-time-password approach in that the key is disabled—permanently—after one legitimate use, theoretically making a stolen key—especially one obtained by the proverbial disgruntled employee—of very limited value.

But at a strategic level, the key management approach is based on a very different view to protecting data. Traditionally, security approaches have been based on denying the bad guys access to the data, something that has proven extremely difficult and some might even say futile. Heartland's new approach is based on the business reality of being a professional cyber thief in 2009. It's not necessary to deny the cyber thieves access to all protected data. As long as the amount of accessible data is below a certain threshold, it's not cost-effective for the thieves to steal it.

The major breaches today are seeking millions of names each because of better deactivation procedures by the card brands. In other words, they know that 90-plus percent of the stolen cards will be dead by the time they can be used. That 10 percent is all they have to make money with and they'll need to sell them to others. Keeping the stolen booty small enough might be almost as good as never letting them in, but it's probably a lot easier to actually deliver.

"We're using multiple keys in multiple zones. The keys that are used to encrypt the transaction at the point of sale are changed every day for the merchant and for the particular device so that, should somebody crack our keys, they would be able to (only) get one batch of data from one merchant," said Heartland's Carr. "We think this is really industry changing. As soon as the encrypted transactions get into our hardware security module and the batch is closed out, which is done daily, those keys go away and are never used again. So we think our key management approach is really sort of elegant and solves an awful lot of problems, especially for unattended devices that are so expensive to do key injection with."

The fundamental approach of what Heartland is advocating involves retailers never having to store the card number. The only problem with that approach is that the card number has to be stored somewhere and it has to somewhere be associated with that transaction's reference number. Could that prove to be the approach's Achilles heel? Carr said he didn't think it would be."Today, the card brand has already assigned a reference number to that dispute. Instead of using the card number within that dispute within our internal backoffice systems, our intent is to use the reference number. We will have to, from time to time, pull up card numbers in our service center, but that will be done through a secure process," Carr said.

"The card numbers are all encrypted in the database and in the datawarehouses and there will be decryption tools that will be available to our service center to take the reference number and go track down the card number. That's needed when there's duplicate transaction processing, if there's a batch balancing problem, etc.," the CEO and Chairman said. "Those kinds of tools are necessary, but they don't expose large numbers of card numbers at any one time. We're just trying to reduce the exposure. I think this approach will reduce it tremendously do it in a way that the merchant is not required to store card numbers any more. The processor would have all of the card numbers in their secure databases that are encrypted."

Another potential hiccup has been standards and consistent deployments, which could be undermined if various processors go their own way. But the Heartland CEO dismisses such concerns because of the involvement of Visa, MasterCard and AmericanExpress. "I think that's manageable because the card brands will determine the specifications for how they will accept the encrypted data," he said.

Click here to listen to the full first podcast on the technical details and here to listen to the full second podcast on the practical industry political realities of getting such a plan widely used. By the way, there's no registration needed for either podcast. Come on in: the door's open.