Heartland Payment Systems and RBS WorldPay, the
two payment processing organisations that were victims of recent
high-profile data breaches, have been removed from Visa’s list of
Payment Card Industry Data Security Standard (PCI DSS) compliant
But the two organisations insist the
suspension is only temporary and that they are both making
strenuous efforts to achieve revalidation.
PCI DSS is a set of requirements developed
by the major global payment card networks – Visa, MasterCard,
American Express, Discover and Japan’s JCB – that obligates
organisations to take specific steps to secure cardholder data.
Merchants and processors are required to
submit an annual on-site assessment in order to be validated.
PCI regulations stipulate that merchants
are prohibited from conducting business with non-compliant
organisations. However, of all the card brands associated with PCI
DSS, it is only Visa that keeps a list of compliant
By removing the two from its list, Visa
may be more motivated by protecting itself legally should any
future lawsuits arise, rather than imposing punitive measures on
the processors themselves, given that Heartland and RBS WorldPay
were already confirmed as being PCI DSS-compliant at the time of
their security breaches.
RBS WorldPay was the victim of an
unprecedented global ATM breach in late 2008, which could have
potentially compromised the data of 1.5 million prepaid
Heartland revealed in January 2009 that
its processing systems were breached by malicious software,
potentially putting at risk millions of cardholders, having been
initially alerted by Visa and MasterCard about the breach in
Following its removal from the PCI DSS
compliance list, Heartland responded by saying that the intrusion
has been “contained” and that it is still actively processing Visa
Heartland said that it was cooperating
fully with Visa and other card brands to revalidate its PCI DSS
status by no later than May 2009.
“We are currently undergoing our 2009 PCI
DSS evaluation by a qualified security assessor [QSA] and are
confident that this QSA is doing a thorough job,” the company said
in a statement on its website.
“Many of the firm’s recommended
enhancements to our security have already been implemented, and
others will be as part of the current audit.”
“We were certified as PCI DSS-compliant
for each of the past five years without any indication of major
issues with any aspects of the PCI DSS regulations,” the statement
“Nothing significant was changed in our
system in the short time between our latest certification in April
2008 and the onset of the intrusion into our payment processing
system in May 2008.”
An RBS WorldPay spokesperson told
CI: “RBS WorldPay received its PCI Report on Compliance in
June 2008 from a qualified assessor. Visa has asked us to obtain a
new certificate of PCI compliance because of the recent data
security compromise. We expect that Visa will remove us from its
list of approved PCI-compliant processors until the new
certification is complete. Our goal is to have a new Report on
Compliance by April.”
Passing the buck?
The breaches focused attention on just how
effective the PCI DSS standards really are, given that
organisations at the moment need only to pass an annual check and
be compliant with the rules at the time of their assessment.
But Visa’s chief enterprise risk officer,
Ellen Richey, is adamant that the standards as they exist are
sufficient, and that it is the responsibility of organisations
seeking compliance to remain vigilant.
Richey added that payment card data fraud
rates remain “near historic lows” despite economic turbulence and
high-profile data breaches, and called for continued industry
investment, collaboration and innovation to keep payment systems
secure in the future.
“Massive incestments and innovative
solutions have kept fraud rates near an all-time low,” said
“The best way to build on this track
record is by having all players in the payment system share
responsibility and maintain their investments in security – even
during these times of economic challenge.”