Visa Inc. last week removed breached payment processors Heartland Payment Systems Inc. and RBS WorldPay Inc. from its list of companies that are compliant with the PCI data-security rules. But analysts said the move may be more about protecting Visa itself than about safeguarding payment card data.
In a terse statement issued last Friday, Visa said it was removing Heartland and RBS WorldPay from its list of service providers compliant with PCI (download PDF) in response to the recent data breaches disclosed by each company. The decision to delist the two payment processors was based on "compromise event findings," Visa said without elaborating. The company added that it would "consider" putting Heartland and RBS WorldPay back on the compliant list, but only after they are recertified by a third-party assessor.
Meanwhile, reports posted by online news site BankInfoSecurity.com and several blogs that follow the payment card industry also cited a March 12 letter from a Visa executive to banks notifying them that Heartland was now "in a probationary period" during which it would have to meet more stringent security requirements than usual.
Strictly speaking, Visa's actions mean that merchants can't use either Heartland or RBS WorldPay to process payments if they themselves want to remain compliant with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS), said Gartner Inc. analyst Avivah Litan.
It's highly unlikely, though, that Visa intends for its sanctions against the two payment processors to be interpreted in such a restrictive way, Litan said. Heartland and RBS WorldPay are among the largest payment processors in the U.S., with hundreds of thousands of customers between them. According to Litan and other analysts, it's unrealistic to expect merchants that rely on those two companies to switch to other payment-processing vendors, at least in the short term.
Instead, the sanctions appear be designed primarily to take Visa out of the picture in any legal battles that may ensue as banks and credit unions try to recoup breach-related costs from Heartland and RBS WorldPay, Litan said.
Under Visa's security rules, she noted, a breached entity can avoid fines if it can show that it was in full compliance with the PCI DSS requirements before and at the time when the breach occurred. Both Heartland and RBS WorldPay previously asserted that they had been assessed as being fully PCI-compliant prior to their respective breaches. Visa now appears to be attempting to make a case that neither company was compliant — a tactic that Litan thinks is aimed at preventing them from using PCI as a shield against lawsuits being filed by banks.
"It's all legal maneuvering by Visa," Litan said. "This is PCI enforcement as usual: They're making the rules up as they go."