Heartland Dropped From Compliant List
Visa also pulled RBS Worldpay off of the security compliance list. RBS Worldpay is a subsidiary of the Royal Bank of Scotland.
"Recently, Heartland Payment Systems and RBS WorldPay publicly disclosed unauthorized access to their systems resulting in the compromise of card account information from all major card brands. Based on compromise event findings, Visa has removed Heartland and RBS WorldPay from its list of PCI DSS compliant service providers," Visa announced on March 12. "Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a qualified security assessor. Visa will consider relisting both organizations following their submissions of their PCI DSS reports."
In a statement that followed the Visa announcement but did not address it directly, the processor said it looked forward to being compliant with industry data standards again soon. "Heartland Payment Systems is pleased to continue our long relationship with Visa. Heartland is cooperating fully with Visa and other card brands," the statement said.
The processor again noted that it was certified as compliant with data security standards in April 2008 and expected to continue to be assessed as PCI-DSS compliant.
"We're undergoing our 2009 PCI-DSS assessment now, which Heartland believes will be complete no later than May 2009 and will result in Heartland, once again, being assessed as PCI-DSS compliant," the company said.
Avivah Litan, an analyst with Gartner Research said that what being stricken from the list means to Heartland remains unclear. "One of the problems with the PCI is that compliance has always been murky," Litan said. "They clearly didn't want to put Heartland out of business since, if they wanted to do that, they could have just announced that they were no longer allowed to process Visa transactions."
Litan said it appeared to her that Visa's move was meant to primarily insulate the company legally and make it clear that the company was not compliant with the data security standards and therefore solely liable for the breach.
Litan also expressed concern about what the Heartland case might mean for the data security standard system themselves. One the one hand, she said, it was better to be compliant with a data security program than not compliant, but on the other hand, how long would retailers want to pay the expenses for keeping up with a data security standard that did not really protect them?
"Personally, I have never thought the burden for data security should be solely on the retailers or merchants," Litan said. "I think the whole payment systems needs to be tightened up," including, she explained, looking again at moving to so-called "chip and PIN" cards, which rely on an embedded micro chip and personal identification number for security.