Bob Carr on Leadership in a CrisisFirst Thought After Heartland Breach was: 'Can we Survive this?'
More than 18 months later, not only has Heartland survived its historic disaster, but the payments processor and Carr himself have come to be acknowledged as leaders in the effort to improve payments security - particularly through end-to-end encryption.
"I think, frankly, that we were the leaders in getting that discussion rolling at the level it's been conducted at, and I'm very proud we've taken that role," Carr says. "It makes me feel we've taken this situation and made a positive out of it, as much as that's possible."
In an exclusive interview, Carr talks about how he responded to the Heartland data breach, discussing:
- His response strategy upon learning of the breach;
- Lessons learned from the crisis - what he'd do differently;
- Advice to other business leaders when disaster strikes.
As Chairman and Chief Executive Officer of Heartland Payment Systems, Carr is responsible for the strategic direction and growth of the company. He co-founded Heartland Payment Systems with Heartland Bank in 1997, quickly building the foundation for an end-to-end credit, debit and prepaid card processing engine. Under his guidance, Heartland has been named a FORTUNE 1000 company; climbed the rankings from #62 to #5 in the nation and #9 in the world; from 25 to 3,400 employees; from 2,500 to 250,000 business locations and from a portfolio of $0.4 billion in bankcard volume to more than $80 billion. Today, Heartland processes more than four billion payment transactions annually.
Carr was active in the formation of the Payments Processor Information Sharing Council (PPISC) and served as chair of its steering committee. He also serves as associate member director on the board of the Secure POS Vendor Alliance. He has been a driving force in the development of "E3ï¿½ï¿½," Heartland's end-to-end encryption technology that is designed to protect cardholder data at rest and in motion throughout the lifecycle of card transactions.
TOM FIELD: What are the pressures for a leader in crisis mode? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are privileged talking to be speaking with Bob Carr, CEO of Heartland Payment Systems, to get his advice. Bob thanks so much for joining me today.
BOB CARR: Thank you for inviting me.
FIELD: Well, Bob, there is no question that the Heartland Payment Systems breach was one of the biggest incidents not just in the past year, but one of the biggest incidents in business history. What was your personal reaction when you first learned of this incident?
CARR: Well, I was shocked and stunned to say the least. We had just been given a clean bill of health by the forensics company that was looking into possible issues, and I just couldn't believe it happened to us. Of all companies, we were so focused on security at all times, and I just thought this really can't be happening to Heartland. But then immediately I started wondering, 'Can we survive this? How can we survive this as a company, and what should we do?'
FIELD: And there really wasn't any guideline in the books to follow. I mean, when you look back in history, the only thing that would come to mind I think would be Tylenol.
CARR: Well, I admit that's one of the first things that came to my mind as well. When we started thinking about our approach, actually, I talked to the former CEO of Johnson & Johnson and got some advice from him the week after we learned about this problem.
FIELD: So, Bob, professionally what was your response strategy once you knew that the incident had taken place and you had to react?
CARR: The first thing I thought of, obviously, was bringing the rest of the senior management of the company into discussions, so that we could all get each other's input on next steps, what to do. Our attorneys were instructed to check all of the laws that related to disclosure and quickly learned that we needed to check with law enforcement, which we did, to see if they were in the middle of any investigation that we might mess up if we did make a public announcement.
We knew that we were required as a public company to report a material event, but we checked with law enforcement to make sure that that was not going to be a problem for a potential investigation. We also talked to the senior employees in the company and decided to make a public announcement as soon as possible, which we did the following Tuesday (Monday was a holiday). We announced it before the stock market opened. And we worked to get advice from those who had been through corporate crisis before. We hired a firm that specialized in this to get their advice and obviously talked to attorneys.
FIELD: You mentioned talking to the former CEO of Johnson & Johnson, which raises the question: Where do you go to get cues for how to respond to such an incident as this?
CARR: Fortunately, Heartland is a company, I think, that is a model for transparency in our industry. That is just who we are; it is our DNA, and doing the right thingï¿½if we had done something very wrong, at least if I had felt that we had done something very wrong, maybe I would not have taken this approach. I don't know. But we felt like we were the victims. We weren't perfect and the cause of it -- it was not anybody's fault, but our own in a sense, and we didn't want to try to blame anybody else.
So, our approach was basically be candid about this, tell the truth, tell our employees about what happened and what could possibly happen and what they could do to help us. And then because of this -- not because we wanted it, for sure -- but basically I was handed a microphone, and I used that microphone to talk to our industry about fixing the root cause of the problem of weak security.
The security approach in our industry has been: Build higher and thicker walls around the castle, and build moats around the wall. And that approach just was - well, the guys trying to break down the walls and get through the moats were spending a lot more time on their efforts than the industry had been in figuring out how to build the security.
We had already been working on ways to encrypt data from the point of entry into our system, and we worked very hard and began spending literally millions of dollars to bring a solution to our customers and to ourselves for full end-to-end encryption. We started talking about this, and I was able to lead the effort to form an industry group called the Payment Processors Information Sharing Council that has now been formed, and 90 percent of the processing volume is represented in this brand new group. It focuses on the root cause of the problem and just general security in payments industry. That was an opportunity that was given to us, and we took advantage of it, and I think looking back now, more than a year and half, I think it worked pretty well for us.
FIELD: No question nobody has been more outspoken on end-to-end encryption than you have, and that's a good point. As you look back on these 18 months, what do you feel you did particularly well in how you handled the crisis?
CARR: Well, I think maybe the best thing we did was not to try to blame anybody else for the problem. We could have easily talked about a lot of the weaknesses in the system. We could have talked about the PCI Council's requirements. We could have talked about a number of different things.
I think being candid about it and engaging the stakeholders in a credible and transparent way, I think those are the things that helped. And then for us to work on our solution, our end-to-end encryption solution and help the industry sort of get their arms around enhanced security. The PCI rules are good rules, but they can be enhanced.
And so we worked with a number of organizations. There has been a tremendous amount of communication around not only end-to-end encryption, but also tokenization and chip and PIN and EMV, and I think frankly that we were the leaders in getting that discussion going at the level it has been conducted at, and I am very proud that we did play that role. It makes me feel like we have taken this situation and made a positive out of it as much as that was possible.
FIELD: Bob what, if anything, would you do any differently?
CARR: Well I made a comment, which I believe is still true, that the QSA's that come in and do forensics audits if you will, or reviews, that their reports weren't worth the paper that they were written on. Many of those folks, of course, took great exception to that comment. I could have made my point perhaps in a more respectable way. I was not trying to be disrespectful, but obviously that statement would imply otherwise. So that is one thing I would do differently, and also frankly would have let the stock market know through earnings calls that our earnings were not going to be able to be sustained, that we would be taking some hits in our earnings. That was obvious to me, but for some reason it was not obvious to Wall Street, and I think our stock got pummeled way more that it should have. Of course, it came back, but I would have been more sensitive to that topic as well.
FIELD: So through no desire of your own you have gone into the history books now about what to do when you are in charge during a crisis. What would you say your biggest lessons learned are that you could pass on to somebody else?
CARR: First, don't blame other people, even if you feel like a lot of the blame belongs on others. Communicate openly and honestly with employees and customers; of course that assumes that you feel like you really did nothing inherently wrong -- that you have got to work into it with clean hands, which is what I felt and still feel. Be transparent and tackle the major causes of the problem. I think that probably is the number one thing that we did that helped us get through this.
We really went after the problem, ways to solve this problem, got the industry together to talk about them and look at everything that has happened since. Obviously, just the nature of the breach and the magnitude of the breach got everybody focused on this, so that was part of that. I won't take all of the credit, but I am going to take a little bit of the credit for steering the discussion in the direction of enhanced security methods, and I think two, three, four years form now we are going to look back and say that really did make a major, major difference in improving security in the payments industry.
FIELD: So years from now, some other CEO calls you up and says 'Bob, I have got to know what to do in a time of crisis," what is the one piece of advice you are going to offer?
CARR: I'm going to tell them that the Tylenol model does work, because this wasn't our invention, this concept, it was Johnson & Johnson's. And my hats off to that company.
FIELD: Bob, thank you so much for taking time answer my questions today.
CARR: My pleasure. Thank you very much.
FIELD: We have been talking about leadership in crisis management. We have been talking with Bob Carr, CEO of Heartland Payment Systems. For Information Security Media Group, I'm Tom Field. Thank you very much.