Visa drops Heartland, RBS WorldPay from PCI compliance list after breaches

Payment processors need to be recertified on security rules; some analysts see delisting move as a case of 'Visa protecting Visa'

1 2 Page 2
Page 2 of 2

David Taylor, founder of PCI Knowledge Base, a Web site that offers advice on PCI-related issues, said he isn't sure exactly what it means for a payment processor to be put on probation by Visa. But he added that he sees the delistings and Heartland's reported probation as an attempt by Visa to show banks and the general public that it's doing something to penalize Heartland and RBS WorldPay for their breaches.

"It's a difficult situation for [Visa]," Taylor said. "Here are two of their larger payment providers with breaches within a relatively short period. Visa wants to let people know that they are serious about security." At the same time, the credit card company appears anxious to avoid any discussions about the effectiveness of the PCI standards, he added.

Taylor agreed with Litan that Visa's move to remove Heartland and RBS WorldPay from its PCI-compliant list will have little real effect on merchants that do business with the payment processors. "Just because they're no longer on Visa's list doesn't invalidate the contracts that merchants have with these two processors," he said. "This is all about Visa protecting Visa."

RBS WorldPay, an Atlanta-based division of The Royal Bank of Scotland Group PLC, disclosed in December that the personal data of about 1.5 million holders of prepaid payroll and gift cards had been compromised during a system intrusion (download PDF). Princeton, N.J.-based Heartland reported a similar breach in January. The company, which processes more than 100 million transactions per month, has yet to say how many card numbers were compromised in the intrusion.

There is precedent for harsh action to be taken against a payment processor that has been breached. When CardSystems Solutions Inc., then a major payment processor, was hit by a data breach that compromised about 40 million payment cards in 2005 — just months after the first version of the PCI standard was announced — Visa and American Express Co. stopped doing business with CardSystems. It was later sold to another company that has since gone out of business.

But Jim Huguelet, an independent PCI analyst in Bolingbrook, Ill., said that Visa's relatively modest sanctions against Heartland and RBS WorldPay are understandable given the "competing interests" that the credit card company has to consider in such cases. "Ultimately, a card processor is a business partner of Visa and the other payment [card] brands, and it's difficult to levy significant sanctions against one of your largest business partners," he said.

In response to a request for comment about the sanctions, Heartland said via e-mail that it is "cooperating fully with Visa and other card brands" to ensure that the payment-processing environment is secure. The statement made no mention of Heartland's removal from Visa's PCI-compliant list or of its reported probation. But Heartland did say that it is undergoing its 2009 PCI assessment and that it hopes to be certified as fully compliant with the security rules by "no later than May 2009."

Also by e-mail, RBS WorldPay acknowledged that it had been removed from the PCI-compliant list and said that Visa had asked it to obtain a new certification of compliance because of the breach. The payment processor, which was certified as compliant with the PCI rules last June, said its goal is to be recertified by the end of April.

"There have been no material system changes that would have negatively altered [last June's] certification, and we have in fact enhanced the security of our systems in the interim," RBS WorldPay said. "[But] because of the criminal intrusion, we need to be recertified earlier than the normal schedule."

Visa, meanwhile, declined to comment on the implications of its move to delist the two companies, including the issue of whether merchants would be required to sign up with new payment processors in order to remain PCI-compliant.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon