Coalfire Systems — a leading independent Payment Card Industry (PCI) Qualified Security Assessors (QSA) — today released a security assessment validating that Heartland Payment Systems’ E3 end-to-end encryption magnetic stripe reader (MSR) wedge can eliminate the scope of the Payment Application Data Security Standard (PA-DSS) for POS developers. The PA-DSS is designed to eliminate the use of non-secure payment applications that store prohibited data elements — such as full magnetic stripe, CVV2 and PIN data — and ensure payment applications support compliance with the PCI DSS. By encrypting sensitive payment card data at the moment of swipe, E3 prevents plaintext data from being available to the payment application, thus facilitating the removal of the payment application from PA-DSS scope. To fully eliminate PA-DSS scope, Coalfire specifies provisions including that no encrypted data can be stored locally; no other payment systems can be supported; and that merchants cannot possess or have access to decryption keys in their retail or corporate environments. Heartland is the first data security supplier in the payments industry to have the scope-eliminating capabilities of its technology validated and published by a third party assessor.
Coalfire’s assessment also documents that the E3 wedge can reduce the scope of PCI compliance for merchants by up to 69 percent, based on PCI DSS controls that are reduced or removed from scope with proper E3 MSR wedge deployment. This scope reduction significantly lowers the associated costs of PCI compliance assessment and validation for business owners. Last month, Coalfire released a separate assessment that found similar scope-reducing capabilities of Heartland’s standalone E3 terminal.
Commercially launched in November 2010, Heartland’s E3 wedge is the first MSR in the industry that encrypts sensitive cardholder data in a tamper-resistant security module (TRSM) — similar to that of a PIN debit encrypting device. Heartland developed the wedge to offer a variety of security options to merchants using computer-based POS systems, as well as address the epidemic of data breaches in the retail and hospitality industries — two of the “Big Three” industries affected by data breaches because of the frequent use of POS systems. According to the 2010 Verizon Business Data Breach Investigations Report, these sectors account for 15 and 23 percent, respectively, of investigated data breaches.
“Providing the highest level of data security has always been at the core of E3’s value proposition, but the byproducts of drastically reducing PA-DSS and PCI scope — as well as the associated complexities and costs — are also highly desirable to POS developers and business owners,” said Steve Elefant, Heartland’s chief information officer. “We estimate developers can save tens of thousands of dollars by leveraging E3 wedge technologies to reduce or eliminate PA-DSS scope for their applications. And for merchants, E3 not only provides an easy solution for safeguarding customer data with the most secure data security solution currently available, but also enables them to save substantial amounts of money and resources. We can attribute the adoption of E3 technology by nearly 10,000 business owners in less than a year’s time to these key benefits.”
“Heartland is expert at anticipating the needs of the industry and its merchants and delivering to them with effective and cost-efficient technologies,” said Kennet Westby, president and COO of Coalfire. “The fact that E3 — with tamper-resistant, hardware-based encryption, unique encryption keys for all devices and frequent key rollover, among other features — is well aligned with the security roadmap outlined in the PCI Emerging Technology Whitepaper on encryption is a perfect example of that.”
Coalfire also determined:
To read the full report and learn more about E3, go to E3secure.com/Coalfire and visit Heartland at Booth #3350 at National Retail Federation Annual Convention & Expo.
About Coalfire
Coalfire is a leading IT audit and compliance firm that provides IT audit, security, and compliance management solutions throughout North America. Services include IT Audit, compliance assessments, penetration testing and application code reviews. Customers are in the retail, financial services, government, healthcare, education, legal, and public utilities industries. Coalfire’s solutions are adapted to requirements under emerging data privacy legislation including PCI, GLBA, HIPAA, NERC CIP, SOX, and FISMA. Coalfire is a Qualified Security Assessor (QSA) and Payment Application QSA (PA-QSA) that conducts over 1,000 IT audits and assessments annually. For more information, please visit www.coalfiresystems.com.
About Heartland Payment Systems
Heartland Payment Systems, Inc. (NYSE: HPY), the fifth largest payments processor in the United States, delivers credit/debit/prepaid card processing, gift marketing and loyalty programs, payroll, check management and related business solutions to more than 250,000 business locations nationwide. A FORTUNE 1000 company, Heartland is the founding supporter of The Merchant Bill of Rights, a public advocacy initiative that educates merchants about fair credit and debit card processing practices. The company is also a leader in the development of end-to-end encryption technology designed to protect cardholder data, rendering it useless to cybercriminals. For more information, please visit HeartlandPaymentSystems.com, MerchantBillOfRights.org, CostOfABurger.com and E3secure.com.
Forward-looking Statements
This press release may contain statements of a forward-looking nature which represent our management’s beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors. Information concerning these factors is contained in Heartland Payment Systems’ Securities and Exchange Commission filings, including but not limited to, its annual report on Form 10-K for the year ended December 31, 2009. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this release.