I’ve written on the subject of encryption here in the past and how states like Nevada and Massachusetts are enacting strict data privacy laws that call for better overall security of client data. Gartner analyst Frank Kenney weighed in to say that “…it’s not just about encrypting the information, it’s about being able to rapidly produce evidence that you in fact followed the letter of the law.”
This brings to mind Heartland Payment Systems who suffered a massive data breach earlier this year. Heartland is one of the largest processors of credit and debit card transactions in the U.S. The company handles more than 100 million card transactions per month for 250,000 clients; it’s scary that a company so large could have its systems compromised by intruders for what appears to have been an extended period.
The good news? Heartland announced this week that it will offer its merchants end-to-end encryption capabilities – news that has been roundly applauded by industry analysts. The plans that Heartland announced will protect the company’s processing network with an end-to-end encryption system. Nonetheless, the breach came at a huge financial cost. In Heartland’s first-quarter earnings call last Thursday, company officials said the well-publicized data breach has cost them $12.6 million so far. This amount includes legal costs and fines from Visa and MasterCard, both of which have stated that the payment processor wasn’t compliant with PCI standards at the time of the breach. Visa had taken Heartland off of its preferred payment processor list earlier in March after the breach was made public on January 20. Heartland announced it had been recertified and was reinstated onto Visa’s list of PCI-DSS validated service providers on April 30.
There are lessons to be learned here for other companies transmitting sensitive data – particularly those using non-secure or unmanaged solutions like FTP (note: there’s no evidence that Heartland was using FTP). We’ve had one major customer (a Fortune 500 company in financial services) issue an edict banning the use of FTP anywhere in their enterprise. No ‘ifs’, ‘ands’, or ‘buts’! This is good and should be taken on board by more companies as a corporate best practice. Companies need to act proactively in order to avoid having a data compromise that could literally put them out of business.
About:
John Lynch is Director of Marketing Communications at Proginet Corporation. In this role he oversees the company’s corporate communications initiatives, including press and analyst relations.
Filed under: 1 | 1 Comment
Tags: credit card, data breach, data security, encryption, Frank Kenney, FTP replacement, managed file transfer, Massachusetts, Nevada
Starting January 1, 2010 the state of Massachusetts will implement the toughest set of rules and regulations in the country for security and file transfers to and from any company in the world. Any corporation giving or receiving information within the state of Massachusetts will have to be compliant, this is the start of the way it will have to be and cover many corporations inside and outside of the state.
Proginet has all that is needed to be compliant and hopefully has already started the process to implement a package that will be readily available to all with short notice (everyone waits until the deadline). The best way to approach this is to contact the heads of the state of Massachusetts to help accommodate their upcoming needs and become the prefered vendor to all.