A Thing
The Green SheetGreen Sheet

Wednesday, March 25, 2009

RBS, Heartland PCI compliance revoked: What's next?

Following a stretch in which no penalty was handed down for two large-scale data breaches, Visa Inc. revoked the Payment Card Industry (PCI) Data Security Standard (DSS) compliant statuses of both Heartland Payment Systems Inc. and RBS WorldPay Inc. on March 13. 2009.

Both companies recently disclosed breaches to their data networks that compromised the information of thousands of clients – RBS indicated it had been breached in December 2008, and Heartland in January 2009.

Heartland said no confidential merchant data, Social Security numbers, unencrypted PINs, addresses or telephone numbers were stolen; RBS said information from only about 100 consumer cards in its system was fraudulently used.

Reinstatement coming

Each company also said reinstatement of its PCI-compliant status is forthcoming.

"We … believe that by no later than May 2009, we will be returned to the Visa list of PCI DSS compliant service providers," said Robert Carr, Heartland's founder, Chairman and Chief Executive Officer, in a written statement. A statement from RBS said the company hoped to be recertified by the end of March 2009.

No sanctions against RBS or Heartland have, as yet, been reported. A media spokesperson for Visa wouldn't comment on the matter, and both RBS and Heartland limited their comments to written statements.

But observers believe both WorldPay and Heartland are likely looking at huge fines and possibly the loss of merchants, not to mention further reputational damage.

"[Revoking their statuses] increases the pressure on merchants and other people on the processing chain about whether they should go through Heartland," said Tim Cranny, CEO for information technology security company Panoptic Security Inc., about the Heartland matter.

"Merchants have an explicit obligation to work with people who are PCI compliant, and this chain of obligations means when something like this happens, it's not just bad publicity; it really puts a barrier to merchant uptake and retention."

Who's in charge?

Visa's decision is not the final word on either company's compliance status – only a verdict handed down by one company. The PCI Security Standards Council (SSC) is, in Cranny's words, "a synchronizing body," but its laws are enforced separately by each of the major card brands with a seat on the council.

"The card brands, not the PCI SSC, monitor compliance," said Bob Russo, General Manager, PCI SSC. "Whether a participating organization is or is not in compliance with the PCI Data Security Standard is determined individually by the payment card brands."

Heartland, for example, has so far retained its compliant status under American Express Co. and Discover Financial Services, even after Visa revoked it. And the company said it is still processing Visa card transactions as well, despite some assertions in the media to the contrary.

"We are actively processing Visa transactions, as well as those of the other card brands," Carr said. "Statements that Heartland is disconnected from the processing system are false."

Merchants on the move

To be sure, the particulars of RBS' and Heartland's relationships with Visa are less than clear, and it remains to be seen the degree to which the loss of compliant status affects merchant retention.

Merchants generally are required by the PCI DSS to work with a PCI compliant processor, just as they are required to be compliant themselves, said Attorney Adam Atlas, who specializes in payments industry matters.

But there arguably has been no overriding verdict that either is noncompliant, and the companies' assertions that their out-of-compliance labels are temporary may persuade merchants on the fence to stick it out.

"All we hear in the industry, up and down, is everyone who's anyone has to be PCI compliant," Atlas said. "But, at the same time, the people who control the levers of power at Visa are not going to shut down hundreds of thousands of merchants … and I don't think anybody expects all of Heartland's merchants to just walk away, and I don't think anybody would force them to do that, and I don't think they should do that."

Cranny said merchants commonly switch processors anyway, a trend that bodes poorly for Heartland and RBS.

"It's getting easier for merchants and other people in the industry to switch from one processor to the other," he said. "There are not huge, permanent barriers to switching and to entry, which makes it harder and harder for these organizations to differentiate themselves and maintain customer loyalty."

Underlying the whole affair, and what may help determine the fates of both Heartland and RBS, are the as yet unrevealed reasons why Visa revoked their compliance statuses (sources close to the matter would not comment on what the post-breach audits have found, saying only that they were ongoing).

While the announcement suggests audits of the two companies revealed noncompliant practices, some contend Visa made a decision in response to the breaches without considering PCI compliance, per se. Heartland passed its last PCI certification audit in April 2008, and RBS was last certified in June of that year.

Innocent until proven noncompliant

"No negligence has been publically admitted or proven, but Heartland and RBS have been removed from Visa's PCI compliant service providers list," said Mimi Hart, President of the IT security company MagTek Inc., a Calif.-based ISO. "I am a believer in innocent until proven guilty," she added.

In its statement, RBS said: "There have been no material system changes [since the last certification] that would have negatively altered this certification, and we have in fact enhanced the security of our systems in the interim."

Cranny pointed out that, "to anyone who knows much about security and risk management, it is not the case that a breach automatically means that they failed and were not in compliance." But he added, "In the overwhelming majority of cases when an auditor comes in, they do find material breaches of the data security standard."

Cranny said he was surprised that Visa's decisions took as long as they did, noting that "in most cases the reality [of what happened] can be uncovered by an auditor in … a clear-cut sort of way." But Atlas suggested that diplomatic considerations, not the difficulty of the audit, may have stalled Visa's announcement.

"That's not something Visa can do lightly to an organization like Heartland," Atlas said. "Visa shuts down merchants, or fines merchants and declares them noncompliant probably every day without much ado.

"But [with] Heartland processing for hundreds of thousands of merchants … Visa has to keep in mind that there's more than just Heartland at stake. … They're putting all of those merchants' businesses in jeopardy by making that kind of decision."

PCI changes likely

At any rate, the incidents at Heartland and RBS have put both of those companies and the PCI DSS itself firmly in the spotlight, and there seems to be a consensus that the PCI SSC will make some changes in response to the high-profile breaches.

Cranny said there would likely be changes not only to the PCI DSS but also to the way breaches are handled – "how one manages communications, what actions are taken, how briskly" – while Hart said the use of end-to-end data encryption would be the logical next step.

"I think you will see a fairly quick move towards encryption of data in motion, but this is reactionary and will prove inadequate," she said.

Cranny said the issue ultimately comes down to consumer trust.

"You could have all the standards in the world, all the paperwork, all the processors, but if at the end of the day consumers are hearing bad news and are worried about identity theft … and use cash instead of plastic, then the entire process has to be a failure on some level," he said.

"Visa and MasterCard are not going to say, 'the process worked but consumers are unhappy.' That's like saying the operation was a success but the patient died. So I am confident we will see changes," he added.

The issue of security compromises was touched on last week during the Visa Global Security Summit, held March 19 in Washington, D.C. The event included a presentation by Visa Chief Enterprise Risk Officer Ellen Richey, who told attendees the PCI DSS was still the industry's most effective defense against data theft.

But she added that the annual PCI audits check only for minimum level compliance and that maintaining compliance requires ongoing vigilance.

"No compromised entity to date has been found to be in compliance with the PCI DSS at the time of the breach," Richey said. end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing