Heartland Payment Systems Successfully Completes First Phase of End-to-End Encryption Pilot

First AES-encrypted transaction from a merchant card reader to and through a
major processor network completed
PRINCETON, N.J.--(Business Wire)--
Heartland Payment Systems (NYSE: HPY), one of the nation`s largest payments
processors, yesterday successfully completed the first phase of its end-to-end
encryption pilot project. This first step involved the transmission of live AES
(Advanced Encryption Standard)-encrypted card transactions from a merchant to
Heartland`s processing platform. AES is the highest level of encryption and is
currently on track to replace DES (Data Encryption Standard) and Triple DES as
the desired standard for sensitive data. 

According to Robert O. Carr, Heartland`s chairman and chief executive officer,
to his knowledge, this is the first time encrypted transactions have been sent
from a merchant`s card reader to and through a major processor`s payments
network. 

"Yesterday`s transactions involved a Texas-based merchant and multiple credit
card, prepaid and signature debit card transactions testing each of the major
card brands," Carr explained. "These cards were read by our newly developed
pilot tamper-resistant security module (TRSM) terminal. The data was encrypted
as the electronic digits left the magnetic stripe and entered the TRSM hardware
device. The data was then successfully transmitted to and through our processing
platform for authorization and settlement. 

"Typically, cardholder data is unencrypted as it leaves a merchant`s terminal
and is not encrypted until it is either tokenized in a gateway or at rest in the
processing platform`s data warehouse," Carr explains. "This means cardholder
data in transit is at risk of being compromised should it get in the hands of
cyber criminals or hackers via such methods as network or memory sniffer
malware. To protect data throughout the lifecycle of a credit, debit or prepaid
card transaction, Heartland is developing end-to-end encryption technology we
call E3 that is designed to encrypt the transaction from the card read through
our network and ultimately through transmission to the card brands." 

For Heartland, E3 protection involves five payment zones:

       Zone 1:    From data entry/card read at the merchant to the authorization network of the processor.                                                                                          
       Zone 2:    From the entry into the authorization network of the processor and through all points in which data is in motion within the network(s) of the processor and its sub-contractors.  
       Zone 3:    While the data resides in a central processing unit (CPU) or a host security module (HSM).                                                                                        
       Zone 4:    In a direct access storage device (DASD) or archival storage.                                                                                                                     
       Zone 5:    From the processor to the authorization and settlement centers of the card brand or issuer.                                                                                       


"Monday`s successful test involved Zones 1, 2, 3 and 4," detailed Steven M.
Elefant, Heartland`s executive director of end-to-end encryption. "We believe
that protecting data in these zones alone will significantly impact the
protection of cardholder data. 

"In Q4, Heartland expects to enhance protection in Zone 3," Elefant continued.
"Protecting data in Zone 5 is contingent on the card brands. We are in active
discussions with several of the brands, and our conversations have been very
positive. Some card brands have indicated a willingness to pursue accepting
transactions from those processors who send encrypted data. While we work on
Zone 3 and collaborate with the brands on Zone 5, the next phase of this pilot
project involves integrating a set of security-protected chips which we expect
will further safeguard the data throughout the lifecycle of the transaction.
Heartland plans to pilot this next phase in Q309." 

"We plan to continue to expedite the development of E3 and launch it
commercially late this year," Carr concluded. "We also plan to continue working
with the ANSI ASC X9 Committee which is crafting an end-to-end encryption
standard and follow that standard as much as practical. We are also working with
established US equipment and software manufacturers to implement their TRSM
devices into our E3 approach as soon as possible. We believe the marketplace
will accept this higher level of payments security and are willing to share our
knowledge and learnings with all industry stakeholders via the Payment
Processors Information Sharing Council, FS-ISAC and Secure POS Vendor Alliance
organizations." 

About Heartland Payment Systems

Heartland Payment Systems, Inc., a NYSE company trading under the symbol HPY,
delivers credit/debit/prepaid card processing, payroll, check management and
payments solutions to more than 250,000 business locations nationwide. Heartland
is the founding supporter of The Merchant Bill of Rights, a public advocacy
initiative that educates merchants about fair credit and debit card processing
practices. For more information, please visit
http://www.heartlandpaymentsystems.com and http://www.MerchantBillOfRights.com. 

Forward Looking Statements

This press release may contain statements of a forward-looking nature which
represent our management's beliefs and assumptions concerning future events.
Forward-looking statements involve risks, uncertainties and assumptions and are
based on information currently available to us. Actual results may differ
materially from those expressed in the forward-looking statements due to many
factors, including without limitation the risks that we may be unable to
successfully develop and implement end-to-end encryption technology, the card
brands may not agree to accept encrypted data and the market may not accept the
change from current encryption technology to end-to-end encryption technology.
Information concerning other factors that could cause actual results to differ
from the forward-looking statements set forth herein is contained in the
Company's Securities and Exchange Commission filings, including but not limited
to, the Company's annual report on Form 10- K, or Form 10-Q as applicable. We
undertake no obligation to update any forward-looking statements to reflect
events or circumstances that may arise after the date of this release. 





Heartland Payment Systems, Inc.
Jason Maloni, 202-973-1335
jason.maloni@e-hps.com

Copyright Business Wire 2009