The Green Sheet Online Edition
April 13, 2009 • Issue 09:04:01
RBS, Heartland PCI compliance revoked: What's next?
Following a stretch in which no penalty was handed down for two large-scale data breaches, Visa Inc. revoked the Payment Card Industry (PCI) Data Security Standard (DSS) compliant statuses of both Heartland Payment Systems Inc. and RBS WorldPay Inc. on March 13, 2009.
Visa, however, said in a statement that merchants who continue their alliances with Heartland and RBS won't be fined.
Both companies recently disclosed breaches to their data networks that compromised the information of thousands of clients - RBS indicated it had been breached in December 2008, and Heartland in January 2009.
Each company said reinstatement of its PCI-compliant status is forthcoming.
"We ... believe that by no later than May 2009, we will be returned to the Visa list of PCI DSS compliant service providers," said Robert Carr, Heartland's founder, Chairman and Chief Executive Officer, in a written statement. A statement from RBS said the company hoped to be recertified by the end of March 2009.
No sanctions against RBS or Heartland have been reported. A media spokesperson for Visa wouldn't comment on the matter, and both RBS and Heartland limited their comments to written statements. But observers believe both RBS and Heartland are likely looking at huge fines and possibly the loss of merchants, not to mention further reputational damage.
Who's in charge?
Visa's decision is not the final word on either company's compliance status. The PCI Security Standards Council (SSC) is "a synchronizing body," but its laws are enforced separately by each of the major card brands on the council, according to Tim Cranny, CEO of Panoptic Security Inc.
"The card brands, not the PCI SSC, monitor compliance," said Bob Russo, General Manager, PCI SSC.
Heartland, for one, has so far retained its compliant status under American Express Co. and Discover Financial Services. And the company said it is still processing Visa card transactions as well.
Merchants on the move
Merchants generally are required by the PCI DSS to work with PCI compliant processors, just as they are required to be compliant themselves, said Attorney Adam Atlas, who specializes in payments industry matters.
But Visa's decision not to fine clients of Heartland and RBS may persuade some merchants to stay on board.
"All we hear in the industry, up and down, is everyone who's anyone has to be PCI compliant," Atlas said. "But, at the same time, the people who control the levers of power at Visa are not going to shut down hundreds of thousands of merchants."
The reasons why Visa revoked the compliance statuses of Heartland and RBS have not been revealed (sources close to the matter would not comment on what the post-breach audits have found, saying only that they were ongoing).
Some contend Visa made its decision in response to the breaches without considering PCI compliance, per se. Heartland passed its last PCI certification audit in April 2008, and RBS was certified two months later.
Innocent until proven noncompliant
"No negligence has been publically admitted or proven, but Heartland and RBS have been removed from Visa's PCI compliant service providers list," said Mimi Hart, President of security software provider MagTek Inc. "I am a believer in innocent until proven guilty."
In its statement, RBS said: "There have been no material system changes [since the last certification] that would have negatively altered this certification."
The incidents at Heartland and RBS have put both of those companies and the PCI DSS itself firmly in the spotlight, and there seems to be consensus that the PCI SSC will make some changes.
Cranny said there would likely be changes to the way breaches are handled - "how one manages communications, what actions are taken, how briskly" - while Hart said the use of end-to-end data encryption would be the logical next step.
"I think you will see a fairly quick move towards encryption of data in motion, but this is reactionary and will prove inadequate," she said.
Cranny said the issue ultimately comes down to consumer trust. "You could have all the standards in the world, all the paperwork, all the processors, but if at the end of the day consumers are hearing bad news ... and use cash instead of plastic, then the entire process has to be a failure on some level," he said.
During Visa's Global Security Summit, held March 19 in Washington, D.C., Visa Chief Enterprise Risk Officer Ellen Richey told attendees that annual PCI audits check only for minimum level compliance and that maintaining compliance requires ongoing vigilance.
"No compromised entity to date has been found to be in compliance with the PCI DSS at the time of the breach," Richey said.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.