The Future of Secure

Electronic Payments

San Diego

August 10, 2009

This presentation contains statements of a forward-looking nature which represent our management's beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors, including without limitation, the impact that the significantly unfavorable economic conditions confronting the United States may have on our business, the results and effects the security breach of our processing system may have on us,  including the costs and damages we may incur in connection with the claims arising from such breach that have been made and may in the future be made against us,  the extent of cardholder information compromised and the possibility that such security breach could cause us to lose customers or make it difficult for us to obtain new customers, the possibility that we may not be successful in developing and implementing an end to end encryption solution, the possibility that if we are successful in developing and implementing an end to end encryption solution it may not prevent future security breaches of our payment processing system,  and additional factors that are contained in the Company's Securities and Exchange Commission filings, including but not limited to, the Company's annual report on Form 10- K for the year ended December 31, 2008. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this presentation.

Topics / Agenda – The Future of Electronic Payments

1. What Is The Problem? The Cybercrimes Arms Race

2. Who Is Heartland Payment Systems?

3. What Happened and What Has/Will It Cost?

4. What Did We Do About It and What Are We Doing Now?

5. Massive Quantity/Quality of Breaches Call for Enhanced Solutions

6. Our New Solution Called E3 – End-End Encryption

7. This Is A Crisis and We All Need to Work Together

8. A Few Humble Suggestions

The Cybercrimes Arms Race

1. Escalation of more and more effective spear phishing/injections/etc.

2. Compliance Is Not Enough

3. Assessments Are Not Worth Much

4. Hijacking internet domains – Network Solutions

5. Massive zero-balance ACH fraud

6. The financial systems infrastructure needs to be and will be upgraded!

Your Protection Against Potential Insider Attacks

1. Any terrific service people who save data against company policy to help customers – no harm intended?

2. Any IT people who work around some of the inconveniences of required security that are admittedly good for everyone else?

3. Any C-Level folks (IT or otherwise) who don’t want to follow stringent password or other security policies so get hard-coded work-arounds?

4. Certain there is no Black Hat in your employ?

5. Any employees/consultants with access who might be tempted with a bribe?

Heartland Payment Systems – What is Our Business?

• Card processingCredit/debit/prepaid cards:

• Process 11 million transactions a day• Process over 4.2 billion transactions annually• Fund accepting merchants over $80 billion annually

• Payroll processing (small competitor to PayChex and ADP)• Check 21 processing (electronic depositing of scanned checks)• Online payment processing• MicroPayments – vending, laundry, campus solutions• Gift cards and loyalty programs

Heartland Payment Systems

12 Years Ago ... And Today

Historical Processing Growth 1998-2009

1

2

3

4

5

6

7

8

9

10

Heartland Service CenterHPY owned – 650 employees – 35 acre site across Ohio River from Louisville, KY

11

2004 2005 2006 2007 2008

Net Revenue Net Income EPS

0.26137,796

8,855

1.08

383,708

41,840

0.50

186,48619,093

0.71

245,652

28,544

0.90

294,771

35,870

5 Year Financial Results 2004-2008

Financial Strength

• Balance sheet – 12/31/2008Cash on hand – $49.6 MM Debt – $75 MMEquity – $179.2 MMAssets – 463.6 MM

• Income Statement – 2008Gross receipts – $1,545 MM Pre-tax income – $70.6 MM  After-tax income - $41.8 MM

A Fortune 1000 company in 2010?(missed in 2009 by 0.2%)

• Winter-Spring 2008 Sniffer attack on Hannaford announced – changed the game! HPS creates dedicated Chief Security Officer/fills position

• April 30, 2008 – HPS passes sixth consecutive PCI DSS assessment by largest QSA

• Mid-May 2008 – Penetration of payments network Possibly related to attack in very late 2007 on customer-facing web

page

• Detected within 48 hours/no payment data implicated

What Happened?

• Late Oct. 2008 – Informed by card brand that issuers suspected potential breach of one or more processors HPS requested sample fraud transactions Many sampled transactions never touched our payment network

• Nine weeks following Oct. 2008 inquiry Despite ongoing investigation by Heartland and two separate forensic

companies, no evidence of an intrusion discovered

• Jan. 9, 2009 – Forensic companies advised they had nearly completed their investigations and found no problems; final reports expected shortly

• Jan. 13-20, 2009 – Discovered suspicious malware and learned of breach Notified law enforcement, card brands Public announcement

What Happened – The Investigation and the Announcement

What Has It Cost Heartland?

• ~50% reduction in market cap (~$400MM)

• 1H09 – $32 million in expense including Forensics

Legal

Visa Fine < $1MM

MasterCard Fine ~$7MM

Settlement offer

• 2H09 and Beyond – to be determined

What Has/Will It Cost Issuing Banks and Other Stakeholders?

Contrary to Industry Speculation, the Cost Is NOT Acceptable

Issuing Banks– Customer attrition– Cost of reissuing and monitoring for fraud – Fraud

And… Electronic payment industry worries about lost consumer confidence

(All stakeholders in the electronic payment system)

What Did We Do About It?

• Additional security enhancements Complete reimaging of servers

Additional network segmentation

More intense monitoring

More intense DLP efforts

Vontu

Everything else the card brands requested

• Follow probation requirements

• Requested meetings with the card brands

• Requested meeting with PCI SSC officials

• Worked non-stop to obtain recertification

What Were We Doing Before & What Are We Doing Now?

Before learning of our breach (after sniffer attack at Hannaford)• Speaking out about need for improved systems

Federal Reserve Bank of Philadelphia Panel Merchant Advisory Group Verifone User’s Conference

• Began developing end-to-end encryption solution• Asked ANSI X9 – F6 to develop end-to-end encryption standard

After learning of our breach• Formed FS-ISAC / PPISC and distributed malware and attack vectors• Focused on ramping up end-to-end encryption development• Ramped up ANSI X9 – F6 leadership

The Bigger Picture

Knowledge of security threats should not be viewed as a competitive advantage.

Heartland’s approach:• Collaborate with private and public bodies to address information

security gaps in the payments processing ecosystem

• Demonstrate that protecting consumer and merchant data is a better competitive edge than hiding threats to our security

Heartland Payment Encryption Zones

1001110001110101001010101011000101010100010101

110101010100001110100010101100010101011001010010010110100010101011010101000101010101000011101010101000011101000101011000101010110010100100101101000101010110101010001010101010000111010101010000111010001010110001010101100101001001011010001010101101010100010101010100001110101010100001110100010101100010101011001010010010110100010101011010101000101010101000011101010101000011101000101011000101010110010100100101101000101010110101010001010101010000111010101010000111010001010110001010101100101001001011010001010101101010100010101010100001110101010100001110001011011

The Heartland E3 Terminal

Heartland Confidential

Physical Security

• HPS E3 terminal is a multi-level TRSM• Tamper response and resistance

Battery-backed switches, epoxy, wire mesh, etc.Protect the PCB (printed circuit board) and processors

Wire mesh enables tamper response and protects the

keypad, PCB and processors.

Wire Mesh

Heartland Confidential

Offline Encryption, Centralized DecryptionUsing IBE & FPE

POS

1. Random FPE Key = 0x12a36cde87fa6d3c10896d3e2c85003b

2. KMB = IBE-Encrypt(Public Key, Random Key)

3. Save KMB to TRSM

4. Encrypt PANs using Random Key 1234-5678-6543-3214 -> 5673-4678-9012-3678 6803-3467-5012-2456 -> 7208-3892-1087-6444 3890-7384-5901-2654 -> 9645-0123-8911-6328

…

5. Transfer KMB + (5673-4678-9012-36787208-3892-1087-64449645-0123-8911-6328)

Processing Center

6. Decrypt only when Card Brands Require(KMB, 5673-4678-9012-3678, 7208-3892-1087-6444, 9645-0123-8911-6328) =(1234-5678-6543-3214, 6803-3467-5012-24563890-7384-5901-2654)

CardBrands

The Heartland E3 Device Roundup

Heartland Confidential

• Heartland E3 POS

• Heartland E3 wedge

• Heartland E3 insertion reader

• Heartland E3 e-Commerce/middleware

• Heartland E3 unattended devices

• Partnerships with other terminal vendors to bring additional offerings to our merchants

The Future of Secure Electronic Payments

PCI DSS is a good standard and is properly required by the industry

• Enhancements to Consider Better Authentication Is Preferred Chip and Pin Tokenization solutions End-to-end encryption solutions New solutions

The Future of Secure Electronic Payments

Opportunities for Improvement

• Better protection from insider attacks and human error

• 6 million small merchants have trouble managing 233 “best practices” aka “requirements”

• No silver bullet, but reasonable capital investment is preferable to permanent high overhead costs

The Future of Secure Electronic Payments

• Let’s get rid of tampering – encrypt the magnetic stripe when possible and encrypt at earliest point of entry everywhere else

• How to Pay For IT? Reduced cost of compliance Reduction of potential liability Carrot and Stick from Card Brands

• Stop the over-the-top criticism of PCI compliance – not credible

• Stop the attacks on credit interchange – not credible

• Recognize the difference between interchange for credit and for debit

• Recognize the difference between fees to the card brands and

interchange to the card issuers

A Few Humble Suggestions for a More Effective Approach

Thank You