Press Release

Coalfire determines Heartland Payment Systems' E3™ end-to-end encryption protocol can reduce payment card industry scope by up to 79 percent.

November 22, 2010

Assessment finds a properly deployed E3 solution can significantly mitigate the risk of data compromise and is one of the most effective data security controls available to merchants today

LOUISVILLE, CO & PRINCETON, NJ - NOVEMBER 22, 2010 - According to an independent security assessment released today by Coalfire Systems, a Payment Card Industry (PCI) Qualified Security Assessor (QSA), Heartland Payment Systems‟ E3 end-to-end encryption terminal can reduce the scope of PCI compliance by 79 percent for merchants using a dial-up connection and by up to 69 percent when using an IP connection. Coalfire also found E3 can minimize the resulting costs of PCI compliance assessment and validation.

“The complexities - and costs - of PCI compliance are some of the most taxing aspects of payment card security for merchants of all sizes. Relieving them from a significant amount of that burden - as well as from the risk of payment card data compromise for transactions submitted through E3 devices - without additional "junk‟ fees or encryption taxes is a major victory for business owners, Heartland and the payments industry at large,” said Steve Elefant, Heartland‟s chief information officer.

E3 is designed to provide the highest degree of payment card data security available. E3 technology meets the recently released PCI Security Standards Council (SSC) guidance for point-to-point encryption (P2PE). It safeguards cardholder data from the moment of card swipe or key entry — and through the Heartland network — until handoff to the card brands “with no decryption of the data feasible at any point between the source and the destination.”

Kennet Westby, president and COO of Coalfire, added, “As a payments processor, Heartland has a unique advantage over many other security providers in that it can protect data through its own network - providing a true "end-to-end‟ solution for merchants with no need to decrypt data before handoff to the processor. This is a primary factor in the increase in scope reduction when compared with other technologies.”

Coalfire also determined that E3 meets all Visa Data Field Encryption guidelines as well as other industry standards.

Other key findings include:

  • E3‟s use of Format Preserving Encryption (FPE) meets encryption best practices and standards for cryptographic algorithms and key strength, and meets industry standards and VISA best practice guidance.

  • The use of Identity-Based Encryption (IBE) key management processes removes most of the challenges of key management for the merchant that have been found in many other encryption solutions.

Coalfire‟s assessment, which included technical testing, architectural assessment, industry analysis, compliance validation and peer review, concluded, “A properly deployed E3 solution can provide significant risk mitigation of data compromise and is one of the most effective data security controls available to merchants today.”

To read the full report and learn more about E3, visit

Coalfire and Heartland will conduct a webinar on November 30 at 1 PM EST to review the results of the assessment. Registration information is available at

About Coalfire

Coalfire is a leading IT audit and compliance firm that provides IT audit, security, and compliance management solutions throughout North America. Services include compliance assessments, penetration testing, application code reviews and certifications. Customers are in the retail, financial services, government, healthcare, education, legal, and public utilities industries. Coalfire's solutions are adapted to requirements under emerging data privacy legislation including PCI, GLBA, HIPAA, NERC CIP, SOX, and FISMA. Coalfire is a Qualified Security Assessor (QSA) that conducts over 1,000 IT audits and assessments annually. For more information, please visit

About Heartland Payment Systems

Heartland Payment Systems, Inc. (NYSE: HPY), the fifth largest payments processor in the United States, delivers credit/debit/prepaid card processing, gift marketing and loyalty programs, payroll, check management and related business solutions to more than 250,000 business locations nationwide. A FORTUNE 1000 company, Heartland is the founding supporter of The Merchant Bill of Rights, a public advocacy initiative that educates merchants about fair credit and debit card processing practices. The company is also a leader in the development of end-to-end encryption technology designed to protect cardholder data, rendering it useless to cybercriminals. For more information, please visit,, and

Alan Ferguson, Coalfire Systems: 303.554.6333 x7002 - 
Leanne Scott Brown, Vault Communications: 610.455.2742 - 
Nancy Gross, Heartland Payment Systems   888.798.3131 x2202 -

Forward-looking Statements
This press release may contain statements of a forward-looking nature which represent our management's beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors. Information concerning these factors is contained in Heartland Payment Systems’ Securities and Exchange Commission filings, including but not limited to, its annual report on Form 10-K for the year ended December 31, 2009. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this release.