News Stay informed about the latest enterprise technology news and product updates.

Visa removes Heartland, RBS from PCI list

Breaches prompt Visa to remove payment processors from its list of PCI-compliant service providers.

Visa Inc. took Heartland Payment Systems Inc. and RBS WorldPay off its list of service providers that are compliant with the PCI Data Security Standard.

Removing them from the Visa list of compliant service providers sends a message that you can't just buy your way out of a breach.
Roger Nebel,
director of strategic securityFTI Consulting

In a statement released Friday, Visa said it was removing the payment processors based on "compromise event findings." RBS WorldPay's disclosure on Dec. 23 that it was breached was followed by Heartland's Jan. 20 announcement that hackers broke into its systems.

"Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a Qualified Security Assessor," Visa said. "Visa will consider relisting both organizations following their submissions of their PCI DSS reports on compliance."

In a prepared statement, Heartland said it was certified as PCI-DSS compliant in April 2008 and expects to continue to be assessed as PCI-DSS compliant in the future.

"We're undergoing our 2009 PCI-DSS assessment now, which Heartland believes will be complete no later than May 2009 and will result in Heartland, once again, being assessed as PCI-DSS compliant," the company said.

Princeton, N.J.-based Heartland said its systems were breached last year when intruders installed malware to pilfer data crossing the company's network. Since then, authorities in Tallahassee, Fla.arrested three suspects for using stolen credit card numbers to make purchases at local Wal-Mart stores. The credit card numbers used by the trio were allegedly stolen from the Heartland processing center in New Jersey.

Data security breaches:
Heartland Payment Systems to vigorously defend breach claims, CEO says: Heartland CEO Robert Carr said the company still can't reasonably estimate the potential impact of the data breach on its day-to-day operations.

Credit unions, banks replace credit cards after Heartland breach: Financial institutions notify customers and reissue or block payment cards affected by the intrusion at payment processor.

Class-action lawsuit filed against RBS WorldPay following breach: Legal action comes in wake of breach at payment processor and massive ATM scam.

RBS WorldPay, the U.S. payment processing arm of the Royal Bank of Scotland, said personal information of about 1.5 million pre-paid cardholders and other individuals was compromised when its computer system was hacked. The Social Security numbers of 1.1 million of those cardholders may also have been compromised, the company said.

The stolen data was used in a highly-coordinated ATM scaminvolving cloned payroll debit cards and reloadable gift cards

"It is heartening to see that the card brands are cracking down on those firms that suffer a breach," Roger Nebel, an independent PCI DSS auditor and director of strategic security at FTI Consulting, said. "Removing them from the Visa list of compliant service providers sends a message that you can't just buy your way out of a breach."

He noted that RBS WorldPay and Heartland have both publicly commented about the high level of sophistication of the attacks against them. Both companies are "somehow trying to hide behind the sophistication of the attacks," he said.

"While I've not seen or heard any hard and fast details about the specific nature of the attacks and tools used, I don't think I would be surprised by the methods used and that there were control breakdowns in several places," Nebel said. "The fact that Visa took them off the list is evidence that the PCI DSS compliance they both had submitted was not adequate."

Randall Gamby, an independent information security analyst based in New York, said Visa's delisting action was standard according to the PCI DSS and could impact business for Heartland and RBS WorldPay.

"The merchants they process for have to make a decision. Are they willing to take the risk that these organizations can secure their data until the QSA findings come out, or will they go another route to process their payments?" he said.

SearchSecurity radio:

Gamby said that PCI compliance is a good step towards security but it doesn't ensure security. Still, "it definitely hurts you if you don't have that stamp," he added.

David Schneier, a compliance consultant, said the breaches at Heartland and RBS WorldPay have proven "is that the PCI standard is at best a good place to start but is not, by itself, the solution to the problem."

"PCI certification proves that there are controls in place consistent with the standard and that for the infrastructure elements included in the testing, those controls were applied properly," he said. "What it doesn't do well is address the remainder of the threat universe so there are many, many loopholes and vulnerabilities remaining."

By taking the payment processors off its list of certified providers, Visa is "offering a passive opinion of the PCI standard, which is that it doesn't amount to much in the end," Schneier said.

In its statement, Visa said the PCI DSS "remains and effective security tool when implemented properly – and remains the best defense for businesses against the loss of sensitive data."

Dig Deeper on PCI DSS: Audits and requirements

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.