The sixth largest US credit card payment processor Heartland Payment Systems, has just acknowledged that their payment systems have been breached. The discovery of malware by forensic auditors on the system last week has led to this announcement.
Credit card payment processors have to jump through enormous requirements to keep their systems secure. Their systems and their applications must be compliant with Payment Card Industry data security standards. They must have an external compliance audit every year.
According to the CFO, the forensic teams found that hackers “were grabbing numbers with sniffer malware as it went over our processing platform.” I immediately thought of Hannaford and the same issue of sniffer capture.
Heartland processes over 100 million credit card transactions a year. That’s far more than the 2 million processed by Hannaford. The FBI and Secret Service are involved. The discovery was brought about not by Heartland finding it, but by the folks at Visa who noted a pattern of suspicious activity that could be traced back to Heartland as the common denominator.
This is really not surprising. There is obviously a group of talented coders who have figured out how to drop this code on critical servers to capture data as it “goes by.”
I’m sure the Payment Card Consortium does not want to have to add “encrypt all your data streams, inside and out, on your network,” to the PCI standard, but I believe it’s inevitable. Internal networks are no longer inviolate, where significant data can travel unencrypted.