Digital Transactions Authoritative, insightful and timely information for payments professionals
Merchant acquirer Heartland Payment Systems Inc. has installed its new end-to-end encryption terminals at more than 1,020 merchants since commercially launching the technology on May 24, the company reports. Heartland also will be rolling out a small USB card reader, or “wedge,” later this month, says Steve Elefant, chief information officer.
Heartland provides payment services to more than 250,000 businesses nationwide, including, as of the end of 2009, 173,400 small and mid-sized retailers, restaurants and other businesses, and about 75 large national merchants representing about 54,000 locations, mostly gas stations and convenience stores. Thus, while the new terminals known as E3 are in less than 1% of Heartland’s portfolio, Elefant believes they’re just getting started. “Contrary to a lot of skepticism that was out there, there is a great deal of interest on behalf of the merchant community in lowering their risk from PCI [Payment Card Industry data-security standard] fines and fees as evidenced by the adoption we’re getting in the first month of our E3 terminal rollout,” Elefant tells Digital Transactions News.
Terminals were installed at businesses representing 118 different merchant categories, primarily non-petroleum retailers, Elefant says. “We are working with large petrol customers as well, but the implementations there are a bit more complex so it takes a little time to work through all those issues,” he says.
The E3 terminals employ both tamper-resistant hardware and Advanced Encryption Standard encryption, the most secure encryption algorithm available. E3 encrypts all Track 1 and 2 data from a card’s magnetic stripe from the time the card is swiped or manually entered until the time the transaction reaches the processor. The data are then decrypted and re-encrypted for transfer to the appropriate card network.
Heartland is working with several major card brands to carry encryption all the way through to the card network, Elefant says, without naming the brands. “Ultimately the goal is to be able to never have a clear-text transaction from the time the card is swiped until it goes out our back door and we deliver it to the brand,” he says.
Princeton, N.J.-based Heartland accelerated work on enhancing security after announcing a major breach of its processing system for small and medium-sized merchants in January 2009. A federal prosecutor later said the breach compromised 130 million debit and credit cards, the biggest ever in the card industry.
The company, which is marketing the terminals through its sales force, offered trade-in deals on merchants’ existing equipment if they take E3 hardware. Additionally, merchants using E3 are protected by a warranty, which will reimburse merchants’ breach-related fines in the event of a compromise. “We’re saying if they’re using E3 technology, if they receive any PCI fines or fees, we will cover any of those costs,” Elefant says.
The terminal is just the first of several products using E3 technology that Heartland will be releasing. The processor later this month will be launching the E3 wedge, a small, mag-stripe-reading wedge that plugs into a USB port. The wedge, which features the same tamper-resistant security module and AES encryption methods as the terminal, is designed for merchants using PC-based point-of-sale cash-register systems, Elefant says. Heartland also is working on development of a multifunction device that call centers and multilane retailers can use.
Heartland and VeriFone Systems Inc., the largest U.S.-based terminal maker, are embroiled in lawsuits over Heartland’s terminal business. VeriFone first alleged infringement by Heartland on one of its end-to-end encryption patents. Heartland has countersued alleging, among other things, trademark infringement and false advertising on the part of VeriFone (Digital Transactions News, Nov. 11, 2009).
