Visa drops Heartland, RBS WorldPay from PCI compliance list after breaches
Payment processors need to be recertified on security rules; some analysts see delisting move as a case of 'Visa protecting Visa'
Computerworld - Visa Inc. last week removed breached payment processors Heartland Payment Systems Inc. and RBS WorldPay Inc. from its list of companies that are compliant with the PCI data-security rules. But analysts said the move may be more about protecting Visa itself than about safeguarding payment card data.
In a terse statement issued last Friday, Visa said it was removing Heartland and RBS WorldPay from its list of service providers compliant with PCI (download PDF) in response to the recent data breaches disclosed by each company. The decision to delist the two payment processors was based on "compromise event findings," Visa said without elaborating. The company added that it would "consider" putting Heartland and RBS WorldPay back on the compliant list, but only after they are recertified by a third-party assessor.
Meanwhile, reports posted by online news site BankInfoSecurity.com and several blogs that follow the payment card industry also cited a March 12 letter from a Visa executive to banks notifying them that Heartland was now "in a probationary period" during which it would have to meet more stringent security requirements than usual.
Strictly speaking, Visa's actions mean that merchants can't use either Heartland or RBS WorldPay to process payments if they themselves want to remain compliant with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS), said Gartner Inc. analyst Avivah Litan.
It's highly unlikely, though, that Visa intends for its sanctions against the two payment processors to be interpreted in such a restrictive way, Litan said. Heartland and RBS WorldPay are among the largest payment processors in the U.S., with hundreds of thousands of customers between them. According to Litan and other analysts, it's unrealistic to expect merchants that rely on those two companies to switch to other payment-processing vendors, at least in the short term.
Instead, the sanctions appear be designed primarily to take Visa out of the picture in any legal battles that may ensue as banks and credit unions try to recoup breach-related costs from Heartland and RBS WorldPay, Litan said.
Under Visa's security rules, she noted, a breached entity can avoid fines if it can show that it was in full compliance with the PCI DSS requirements before and at the time when the breach occurred. Both Heartland and RBS WorldPay previously asserted that they had been assessed as being fully PCI-compliant prior to their respective breaches. Visa now appears to be attempting to make a case that neither company was compliant — a tactic that Litan thinks is aimed at preventing them from using PCI as a shield against lawsuits being filed by banks.
"It's all legal maneuvering by Visa," Litan said. "This is PCI enforcement as usual: They're making the rules up as they go."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Legal White Papers | Webcasts