Visa Acts Against Heartland, RBS?But Some Say It’s Not Enough

Visa Inc. has kicked breached merchant acquirers Heartland Payment Systems Inc. and RBS WorldPay Inc. off of its list of processors compliant with the Payment Card Industry data-security standard, or PCI. That action sent the acquirers to a netherworld known as probation and triggered a debate in the payments industry about how the card networks should react when hackers break into processors' computer systems. “I actually thought we were supposed to be getting tougher,” says security researcher David Taylor, founder of Stamford, Conn.-based PCI Knowledge Base. “Probation doesn't seem like it's tough at all.” Visa has taken tougher action before. In 2005, Visa said it would refuse to accept transactions from CardSystems Inc. after a certain date in the wake of a breach that exposed data on more than 40 million card accounts?the largest card breach of the time. Visa's action turned out to be a death sentence for CardSystems, which sold off its assets (Digital Transactions News, July 19, 2005). Word of Heartland's probation spread Friday after Visa posted on its merchant Web site a new listing of PCI-compliant processors that didn't include Heartland or RBS WorldPay. At the same time, a leaked communication from a Visa executive to the Visa membership about the Heartland breach made its way around security Web sites and blogs. In the March 12 letter, chief enterprise risk officer Ellen Richey said Heartland “is now in a probationary period during which it is subject to a number of risk conditions including more stringent security assessments, monitoring, and reporting. Subject to these conditions, Heartland will continue to serve as a processor in the Visa system.” The letter also said, “Heartland is “aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards. The company will be re-listed once it revalidates its PCI DSS compliance using a qualified security assessor and meets other related compliance conditions.” Heartland had passed its most recent PCI inspection shortly before hackers apparently gained access to its systems last year. Visa would not comment publicly about the letter, but in a March 13 press statement about the Heartland and RBS WorldPay breaches, the network said only that it “will consider” reinstating the two onto the list. The statement, which didn't use the word “probation,” said, “Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a qualified security assessor. Visa will consider re-listing both organizations following their submissions of their PCI DSS reports on compliance.” In her letter, Richey also said, “fines will be assessed” to Heartland's sponsor banks, but gave no amounts. “Such fines are part of the program Visa uses to assure compliance with system rules,” the letter said. “Ongoing compliance with PCI DSS helps keep the system more secure for all participants.” The letter did not name the banks, but Heartland's main sponsor is Cleveland-based KeyBank and a secondary sponsor is St. Louis-based Heartland Bank. The banks almost certainly would pass any fines on to Heartland Payment Systems, which has acknowledged the likelihood of fines in the wake of the breach, which it disclosed Jan. 20. Visa gave card issuers until May 19 to report fraud losses from the Heartland breach. Visa has invoked its Account Data Compromise Recovery Program, under which the network attempts to recover from a breached acquirer a portion of issuers' resulting costs such as re-issuing cards on exposed accounts. Visa's public statement went on to say that, “It's essential that every business that handles payment card information adhere to the highest standards to protect the security and privacy of their customers' financial information. The PCI DSS remains an effective security tool when implemented properly?and remains the best defense for businesses against the loss of sensitive data.” Princeton, N.J.-based Heartland was diplomatic in a statement it issued Friday. Heartland said it was “pleased to continue our long relationship with Visa. Heartland is cooperating fully with Visa and other card brands and we are committed to having a safe and secure processing environment. Heartland was certified as PCI-DSS compliant in April 2008 and expects to continue to be assessed as PCI-DSS compliant in the future.” Heartland said it expected its PCI assessment will be done in May and that the company will be found to be compliant. The extent of Heartland's breach still isn't publicly known, but hundreds of banks and credit unions have re-issued cards on compromised accounts. Atlanta-based RBS WorldPay disclosed an intrusion in December, a breach in which intruders gained access to data linked to some 1.5 million gift card and payroll card accounts, including Social Security numbers for 1.3 million people. The hacking led to a $9 million ATM fraud spree (Digital Transactions News, Feb. 4). Like Heartland, RBS WorldPay had passed its most recent PCI inspection. In a statement released March 13, the processor said it received a PCI compliance report last June from a qualified PCI assessor. “Visa has asked us to obtain a new certification of PCI compliance because of the recent data-security compromise,” the statement says. “Visa has removed us from its list of approved PCI-compliant processors until the new certification is complete. Our goal is to have a new [report on compliance] by the end of April.” The statement goes on to say that, “There have been no material system changes that would have negatively altered this certification and we have in fact enhanced the security of our systems in the interim. Because of the criminal intrusion, we need to be recertified earlier than the normal schedule.” CardSystems was a sizable acquirer, but Heartland and RBS WorldPay are even bigger. Banning them from Visa, the largest card network, no doubt could massively disrupt the merchant-acquiring industry, at least temporarily. Taylor sees Visa's removal of the two from the compliant-processor list as an attempt to look like it is taking strong action that reinforces faith in its system security while at the same time keeping regulators at bay. Many consumers, especially when it comes to online transactions, now view electronic alternatives to the major card brands as more secure, he notes. “I think they're more concerned than ever about driving traffic to alternative payments,” Taylor says. “This is all about managing the public's reaction to the problem and shoring up trust in their brand.”