Visa drops Heartland, RBS WorldPay from PCI compliance list after breaches
Payment processors need to be recertified on security rules; some analysts see delisting move as a case of 'Visa protecting Visa'
Computerworld - Visa Inc. last week removed breached payment processors Heartland Payment Systems Inc. and RBS WorldPay Inc. from its list of companies that are compliant with the PCI data-security rules. But analysts said the move may be more about protecting Visa itself than about safeguarding payment card data.
In a terse statement issued last Friday, Visa said it was removing Heartland and RBS WorldPay from its list of service providers compliant with PCI (download PDF) in response to the recent data breaches disclosed by each company. The decision to delist the two payment processors was based on "compromise event findings," Visa said without elaborating. The company added that it would "consider" putting Heartland and RBS WorldPay back on the compliant list, but only after they are recertified by a third-party assessor.
Meanwhile, reports posted by online news site BankInfoSecurity.com and several blogs that follow the payment card industry also cited a March 12 letter from a Visa executive to banks notifying them that Heartland was now "in a probationary period" during which it would have to meet more stringent security requirements than usual.
Strictly speaking, Visa's actions mean that merchants can't use either Heartland or RBS WorldPay to process payments if they themselves want to remain compliant with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS), said Gartner Inc. analyst Avivah Litan.
It's highly unlikely, though, that Visa intends for its sanctions against the two payment processors to be interpreted in such a restrictive way, Litan said. Heartland and RBS WorldPay are among the largest payment processors in the U.S., with hundreds of thousands of customers between them. According to Litan and other analysts, it's unrealistic to expect merchants that rely on those two companies to switch to other payment-processing vendors, at least in the short term.
Instead, the sanctions appear be designed primarily to take Visa out of the picture in any legal battles that may ensue as banks and credit unions try to recoup breach-related costs from Heartland and RBS WorldPay, Litan said.
Under Visa's security rules, she noted, a breached entity can avoid fines if it can show that it was in full compliance with the PCI DSS requirements before and at the time when the breach occurred. Both Heartland and RBS WorldPay previously asserted that they had been assessed as being fully PCI-compliant prior to their respective breaches. Visa now appears to be attempting to make a case that neither company was compliant — a tactic that Litan thinks is aimed at preventing them from using PCI as a shield against lawsuits being filed by banks.
"It's all legal maneuvering by Visa," Litan said. "This is PCI enforcement as usual: They're making the rules up as they go."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Best Practices in BYOD: BlackBerry Enterprise Service 10 Manageability, security and support - these are just a few of the reasons BlackBerry® Enterprise Service 10 is such a powerful Enterprise Mobility...
- How to Migrate from BlackBerry Enterprise Server v4.0 or v5.0 to BlackBerry Enterprise Service 10 With BlackBerry® Enterprise Service 10, you can manage your entire mobile fleet through a single, unified interface. Find out how to make the...
- Choosing an MDM Platform: Where to Start the Conversation If you're in the early stages of choosing an MDM solution, or you're considering switching vendors, here are seven critical questions to ask...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Legal White Papers | Webcasts