GonzoBanker of the Month: Robert Carr, Heartland Payment Systems

In the past several years, bankers and credit unions have expressed extreme frustration and distaste for costly breaches of customer information inside payment processing operations, some pursuing legal action to demand retribution for these rising costs and threats to financial institution reputations. Heartland Payment Systems is one company that has faced consumer and investor class action law suits and regulatory penalties.

As these understandable business disputes work their way to resolution, the team at GonzoBanker thought it important to hear from a leader who has been steeped in this complex controversy and who hopes new discussions, no matter how uncomfortable, may bring greater resiliency to the payments industry. While different constituencies in our loyal readership clearly fall on both sides of judging the Heartland incident, we hope all will agree that hearing ideas about “what comes next?” is vitally important to our industry.

Name: Robert Carr

Official Title: CEO of Heartland Payment Systems

Gonzo’s Title: Battle-Scarred Evangelist of Payments Security

Alma Mater: University of Illinois at Champaign-Urbana. Bob majored in math as an undergrad and then earned a graduate degree from the University of Illinois’ groundbreaking computer science program.

Previous Gigs: Bob started his career teaching computer science at Parkland College in Illinois and then moved to the Bank of Illinois where he first became exposed to the world of payment systems. In 1997, Bob co-founded Heartland Payment Systems with Heartland Bank. Under his guidance, Heartland climbed from #61 to #5 in the nation and #9 in the world; from 25 to more than 3,100 employees; from 2,500 to 250,000 client locations and from a portfolio of $0.4 billion in bankcard volume to more than $80 billion.

Bob believes Heartland’s growth can be directly attributed to a business model based upon building trust with merchants. “The thing that people don’t get about our model is our sales people trust us to treat our customers right,” Bob said. “Small business people are not small-minded idiots like some of our competitors treat merchants.” Bob has been so vocal in abuses and deceptive practices in the card business that he personally penned a Merchant Bill of Rights in 2006.

Things Keeping Bob Busy
High levels of controversy have followed Heartland since January 2009 when it was announced hackers breached the payments processor’s servers. This allowed a hacker to gain access to the card information for the 100 million transactions Heartland processes each month. As The Wall Street Journal reported on June 19, 2009: “Aside from the scale, the breach stood out from the hundreds of others reported each year because Heartland had recently passed a security audit. Carr says that one lesson he’s learned from the breach is that the industry’s security standard, called Payment Card Industry or PCI, doesn’t go far enough.”

Bob believes PCI is a “lowest common denominator” standard and that the vast majority of breaches go unreported. He says that around 300 companies were victimized by the same hacker as Heartland, but that most have never come forward.

Rather than retreat from the incident, Bob has made sincere efforts to bring more awareness to the complexity and interlocking risk among all players in the payment ecosystem.

Bob’s Side of the Heartland Payment Breach
It is clear that many banks and credit unions are bitter from card reissuance and risks to their customer bases, and these issues are not to be diminished. Heartland asks that the following items also be considered:

• Heartland followed all accepted security standards within the payment industry and was PCI compliant.
• Heartland was consistent with annual security reviews and penetration testing, and no auditing firm ever identified a serious issue with the firm’s approach to security.
• Heartland formed a formal risk committee and hired a full-time chief security officer long before learning of the breach.
• Bob claims the company “never turned down a proposed investment in security and always stressed it as our company’s top priority.”
• Bob believes Heartland could have avoided this breach had the infrastructure of the current card processing security system provided for sharing information regarding attack vectors and malware as soon as breaches are discovered.

In response to this issue, Bob has been rallying for both stronger security standards and the promotion of greater collaboration among parties in the card processing industry. Bob believes a system of anonymous collaboration among processors concerning breaches and security efforts could greatly enhance both protection and responses to issues. In addition, Bob is a firm believer that end-to-end encryption in the payment industry is a highly desirable technical upgrade worth every penny of investment that will be required from processors and merchants.

Heartland recently completed the first phase of its end-to-end encryption pilot project. This first step involved the transmission of live AES (Advanced Encryption Standard)-encrypted card transactions from a merchant to Heartland’s processing platform. AES is the highest level of encryption and is currently on track to replace DES (Data Encryption Standard) and Triple DES as the desired standard for sensitive data.

Key Message Bob Has for Bankers
“I would rather be remembered as the guy who helped try to fix the system than the guy who had the biggest breach.”

Bob’s Claim to Fame Outside the Office
Bob is a major history buff who has visited every state capital in America. He is also one of those crazy individuals who has seen a major league baseball game in every team’s home stadium. Bob has watched MLB in 44 stadiums, 14 of which are no longer MLB venues. There is one exception: Bob has not yet watched a game in the new Yankee Stadium but plans to check off that goal in the near future.

A Great Year for Bob
Bob got to see his Chicago White Sox finally win the World Series in 2005 – the same year his company, Heartland Payment Systems, went public.

Bob’s Favorite Movie of All Time
Funny Girl starring Barbara Streisand. Bob was a young college lad when Ms. Streisand started making hearts pound.

The Music Bob Loves to Belt from the iPod
Bob is a fawning fan of Sarah Brightman, formerly married to composer Andrew Lloyd Weber. Bob says Sarah’s voice is simply “amazing.”

Stamping Out the Black Hats
GonzoBanker recognizes Bob Carr of Heartland Payment Systems and we are pleased to donate $250 to the Give Something Back Foundation started by Bob and his wife, Jill, to create scholarships for disadvantaged youth.

The credibility of our current payment systems hangs in the balance today – GonzoBanker wishes Bob and all payment providers Godspeed in working harder to achieve a vastly improved level of information security. May the entire industry stick it to the hackers!

When’s the last time you hugged your payment system provider?

We thought so. Cornerstone Advisors can help you step back and make an objective evaluation of the terms and effectiveness of your current solution. We can work with you to determine if your provider is meeting your goals from every possible angle – strategic, technology and regulatory.

We’ve partnered with well over 100 banks and credit unions to choose core and ancillary system solutions, negotiate vendor contracts, and manage successful conversions.

Visit our site or contact us to learn more.