GS Logo
The Green Sheet, Inc

Please Log in

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Legislative outlook:
Some clouds but no rain

Patti Murphy
The Takoma Group

News

Industry Update

New fees, more money for Visa, MasterCard

RBS, Heartland PCI compliance revoked: What's next?

A token of payments to come

Raising the ACH bar

Virtucard for virtual goods

Features

AgenTalkSM:
Bill Pirtle

ISOMetrics:
Breaches across America
installment two

Selling Prepaid

Prepaid in brief

Boom time for prepaid game card market

Global payroll done with SaaS

The state of escheatment

Views

Be the toast of hosts

Scott Henry
VeriFone

Sluggish economy spurs faster payments

Nasreen Quibria
Association for Financial Professionals

Mobile payments? Not yet

Biff Matthews
CardWare International

Education

Street SmartsSM:
Who are you?

Jon Perry and Vanessa Lang
888QuikRate.com

Pull back the expense curtain

Jeff Fortney
Clearent LLC

Downshifting to rev up sales

Christian Murray
Global eTelecom Inc.

PCI versus tricky technology

Michael Wright
Panoptic Security Inc.

Five magical questions in making sales

Daniel Wadleigh
Marketing Consultant

Company Profile

UseMyBank Services Inc.

Data Delivery Services Inc.

New Products

Instant mobile processing

MerchantWare Mobile
Company: Merchant Warehouse

A most literate check reader

CheckUltra
Company: Parascript LLC

Inspiration

See it, believe it

Departments

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

April 13, 2009  •  Issue 09:04:01

previous next

RBS, Heartland PCI compliance revoked: What's next?

Following a stretch in which no penalty was handed down for two large-scale data breaches, Visa Inc. revoked the Payment Card Industry (PCI) Data Security Standard (DSS) compliant statuses of both Heartland Payment Systems Inc. and RBS WorldPay Inc. on March 13, 2009.

Visa, however, said in a statement that merchants who continue their alliances with Heartland and RBS won't be fined.

Both companies recently disclosed breaches to their data networks that compromised the information of thousands of clients - RBS indicated it had been breached in December 2008, and Heartland in January 2009.

Reinstatement coming

Each company said reinstatement of its PCI-compliant status is forthcoming.

"We ... believe that by no later than May 2009, we will be returned to the Visa list of PCI DSS compliant service providers," said Robert Carr, Heartland's founder, Chairman and Chief Executive Officer, in a written statement. A statement from RBS said the company hoped to be recertified by the end of March 2009.

No sanctions against RBS or Heartland have been reported. A media spokesperson for Visa wouldn't comment on the matter, and both RBS and Heartland limited their comments to written statements. But observers believe both RBS and Heartland are likely looking at huge fines and possibly the loss of merchants, not to mention further reputational damage.

Who's in charge?

Visa's decision is not the final word on either company's compliance status. The PCI Security Standards Council (SSC) is "a synchronizing body," but its laws are enforced separately by each of the major card brands on the council, according to Tim Cranny, CEO of Panoptic Security Inc.

"The card brands, not the PCI SSC, monitor compliance," said Bob Russo, General Manager, PCI SSC.

Heartland, for one, has so far retained its compliant status under American Express Co. and Discover Financial Services. And the company said it is still processing Visa card transactions as well.

Merchants on the move

Merchants generally are required by the PCI DSS to work with PCI compliant processors, just as they are required to be compliant themselves, said Attorney Adam Atlas, who specializes in payments industry matters.

But Visa's decision not to fine clients of Heartland and RBS may persuade some merchants to stay on board.

"All we hear in the industry, up and down, is everyone who's anyone has to be PCI compliant," Atlas said. "But, at the same time, the people who control the levers of power at Visa are not going to shut down hundreds of thousands of merchants."

The reasons why Visa revoked the compliance statuses of Heartland and RBS have not been revealed (sources close to the matter would not comment on what the post-breach audits have found, saying only that they were ongoing).

Some contend Visa made its decision in response to the breaches without considering PCI compliance, per se. Heartland passed its last PCI certification audit in April 2008, and RBS was certified two months later.

Innocent until proven noncompliant

"No negligence has been publically admitted or proven, but Heartland and RBS have been removed from Visa's PCI compliant service providers list," said Mimi Hart, President of security software provider MagTek Inc. "I am a believer in innocent until proven guilty."

In its statement, RBS said: "There have been no material system changes [since the last certification] that would have negatively altered this certification."

Changes likely

The incidents at Heartland and RBS have put both of those companies and the PCI DSS itself firmly in the spotlight, and there seems to be consensus that the PCI SSC will make some changes.

Cranny said there would likely be changes to the way breaches are handled - "how one manages communications, what actions are taken, how briskly" - while Hart said the use of end-to-end data encryption would be the logical next step.

"I think you will see a fairly quick move towards encryption of data in motion, but this is reactionary and will prove inadequate," she said.

Cranny said the issue ultimately comes down to consumer trust. "You could have all the standards in the world, all the paperwork, all the processors, but if at the end of the day consumers are hearing bad news ... and use cash instead of plastic, then the entire process has to be a failure on some level," he said.

During Visa's Global Security Summit, held March 19 in Washington, D.C., Visa Chief Enterprise Risk Officer Ellen Richey told attendees that annual PCI audits check only for minimum level compliance and that maintaining compliance requires ongoing vigilance.

"No compromised entity to date has been found to be in compliance with the PCI DSS at the time of the breach," Richey said.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services