Heartland CEO on Breach Response'Anyone That Thinks They're Not Going to be Breached is Naive'
When cardholder data is exposed in a breach, the reputation of the entire payments industry is jeopardized, says Carr. From the processor that suffered the breach to the financial institutions that issued the cards and the merchants that accepted them, a number of links along the payments chain are affected.
As details about the breach of Global Payments unfold, Carr says information sharing is key, especially among other payments processors. "Don't minimize the impact," Carr says. "Share information. .... The bad guys might be in somebody else's system, so it is good for everyone to communicate."
Although a great deal has changed since 2009, when Heartland's breach was exposed, Carr says open communications, especially for publicly-traded companies, will pay dividends in the long run. But the ways in which companies communicate their messages in post-breach environments will vary.
"I would not advise a one-size-fits-all solution," he says. "Over the past three years, we've overcome it, mainly because we took responsibility for it; we weren't trying to blame anybody else."
Global and Heartland have a few similarities. For one, both rank among the nation's top 10 processors. Princeton, N.J.-based Heartland in 2011 was ranked by the Nilson Report, a payments industry newsletter, as being the sixth-largest payments processor in the country. (See A Tale of Two Breaches.)Global Payments ranked No. 7. Secondly, both garnered a great deal of media attention in the wake of their breaches.
Third, when news of the breach broke, Visa removed Global from its list of vendors compliant with then Payment Card Industry Data Security Standard. Heartland also was removed from Visa's list following its breach.
"To be PCI compliant does not mean you can't be breached," Carr says. "Any of us that processes PII (personally identifiable information) should be humble. ... Anyone that thinks they're not going to be breached is being naive."
During this interview, Carr discusses:
- How payments breaches affect processors, card issuers and merchants;
- The meaning of PCI compliance;
- What the industry might expect from Global as more details about its breach unfold.
Carr co-founded Heartland Payment Systems with Heartland Bank in 1997, quickly building the foundation for an end-to-end credit, debit and prepaid card processing engine. Today, Heartland ranks as one of the 10 largest processors in the world. Carr spearheaded The Merchant Bill of Rights - a public advocacy initiative to promote fair card processing practices on behalf of all business owners. He also has been at the helm of an industry collaboration movement to thwart cybercriminals - and help protect business owners, consumers, processors and financial institutions. He was active in the formation of the Payments Processor Information Sharing Council and served as chair of its steering committee. He also serves as associate member director on the board of the Secure POS Vendor Alliance.