You've no doubt moved aggressively to improve security. Talk about the specifics of what you've done in terms of technology and people policies.
Carr: "Four different card brands have their policies and ideas about security, and we've done everything asked of us. We must have more layers than anyone out there. Some specifics: We re-imaged all our servers -- nuked them, essentially -- and started over. We added additional network segmentation, much more intense monitoring, and added data loss prevention technology, specifically Symantec's Vontu product, which helps you find every place where a card number is stored."
How much money has Heartland had to spend to address the security holes and other things like lawsuits?Carr: "In the first half of 2009, we laid out $32 million and we don't know what will happen going forward. We are aggressively defending against litigation. That's all I can say."
How receptive have Heartland's customers been to the cost of end-to-end encryption?
Carr: "We contracted with Voltage Security to use their encryption technology. We have absorbed that cost and the cost of developing an encryption advice. We are not passing that on to customers. We haven't increased anyone's pricing. That said, customers who want to go to our new encryption device will have to rent or buy it. It will cost under $500, approximately. The savings they'll get from not having card numbers in their systems will be worth it. The technology will prevent raw numbers from being transmitted in the clear."
Any pushback from customers on that one?
Carr: "We just rolled this out in late June and have numbers of merchants using it. Is there pushback? That remains to be determined. Many of our smaller customers can't even spell PCI. But the bigger customers are very receptive to this."
What's your single-biggest piece of advice for other companies that discover they've been the target of a data breach?
Carr: "What worked well is that when we announced it publically we had an all-hands meeting of all 3,000 employees. I told them their job was to be up front with our customers and tell them what it means for them. Let us be the one to tell them first, not the press. Being candid has been key. Some companies try to sweep it under the rug. Being pissed that this happened is important, too. I don't want this happening to anyone else, so we formed a payment-processing council to share information, share the malware samples, and help educate people, even our competitors. As I've gone around the country talking to people, there's a lot of chutzpa that this can't happen to them. The bad guys know all about the security methods employed in the industry. We need more humility. Those who feel comfortable with their security should ask themselves how they feel about their vulnerability to insider threats."
What should companies be asking in terms of the insider threat?
Carr: "Are there people inside their company who circumvent security policies in the name of being more efficient? Employees don't like what's inconvenient, and they find workarounds. How comfortable do you feel having data in the clear within your networks, where an insider can access it? How many IT security organizations have high-level management asking them to bypass certain security controls as a favor to them cause they are the boss? These are vital questions."