Whether or not the risky approach will work is an interesting issue, but you've got to love the psychological dynamic at play here. Heartland is a data breach victim and—if and when Heartland is ultimately forced to reveal the volume of data impacted by their breach—might even be one of the largest data breach victims ever. But they're acting like a reformed smoker who suddenly finds the whiff of a lit cigarette repulsive and disgusting. Then again, a more apt analogy would be a reformed smoker who decides he can make a ton of money opening a Quit Smoking School.
The marketing reality is that almost every processor and security vendor today is hawking some version of something they're calling end-to-end encryption, forcing Heartland to do something flamboyant to get some attention. It's easy to nitpick the offer as not going far enough—to truly make the investment riskfree, why not offer to cover legal fees, court costs and the inevitable investigative and forensic costs?—but the more germane point is that it's farther than anyone else in the space has yet gone.
There will also undoubtedly be wording that the breach's cause must relate to the Heartland product, which certainly sounds reasonable. But cyberthieves—like all professional criminals—tend to be excellent at sniffing out the weakest link. If a homeowner installed a $9,000 top-of-the-line steel door with five Maxwell Smart-style drill-proof deadbolts, it's not that the home wouldn't get burglarized. It will simply push the burglar to come in through the window or sledgehammer through a wall.
But in the end-to-end encryption case, the data could still be accessed, but it would likely remove the retailer from being held responsible.
We should also stress that the offer is not yet finalized, but is merely one that Heartland officials are now telling people they plan to offer later this year.The offer came to light this month after Heartland announced that it had conducted a test of its encryption pilot and that the test succeeded. (The news release hardly needed to mention that last part. You see many releases that discuss failed pilots?)
Steven Elefant, who is managing the end to end encryption project at Heartland, was making the point that Heartland had been worried about if the encryption might add too extensive a delay into the processing process. "Anything sub a second would be a reasonable time," he said, adding that the delay at the trial—held at a local car wash near Heartland's Plano, Texas, offices—was just shy of one-fifth of a second ("less than 200 milliseconds").
Elefant also updated rough pricing that had been released by Heartland CEO Robert Carr back in May. Elefant estimated that the per-unit pricing would be "less than $500." When told that his boss had said the units would cost $100 to $300, Elefant initially denied that Carr would have ever said such a thing. Heartland spokesperson Jason Maloni—who was on the call—then told Elefant that he had been on the Carr interview call and that the CEO had indeed said it. Elefant said that it was likely out of context. (Readers can determine for themselves. The discussion with Carr was recorded as part of an audiocast package.)
But Elefant then added: "If you get breached or hacked, we will pay your fines and fees." Asked why the offer didn't go farther, Elefant said that was likely not necessary. For a small merchant, he said, it's the fines and fees that are the huge worry, as such local retailers rarely have deep enough pockets to attract lawsuits. For large chains, insurance and in-house lawyers—coupled with existing retainer deals—make the legal costs fairly well contained leaving, again, the fines and fees as the most frightening variable.
It's a sound rationale, but there's also the reasonability factor. How much is it reasonable for a payment processor to absorb? That's especially germane when no one else is—thus far—offering much of anything in terms of guarantees.
The implied point, though, is that a so-called end-to-end encryption strategy—regardless of what form it takes—will go quite far in taking the merchant out of the data-protection business. Just like the homeowner analogy, this type of encryption will certainly not make a retailer immune to penetration. But it could easily make them a less inviting target. For now, though, that's probably enough to get some attention.