View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. News
March 26, 2009

Visa pulls Heartland and RBS WorldPay from PCI compliance list

Heartland Payment Systems and RBS WorldPay, the two payment processing organisations that were victims of recent high-profile data breaches, have been removed from Visas list of Payment Card Industry Data Security Standard (PCI DSS) compliant entities. PCI DSS is a set of requirements developed by the major global payment card networks Visa, MasterCard, American Express, Discover and Japans JCB that obligates organisations to take specific steps to secure cardholder data.

By Verdict Staff

Heartland Payment Systems and RBS WorldPay, the two payment processing organisations that were victims of recent high-profile data breaches, have been removed from Visa’s list of Payment Card Industry Data Security Standard (PCI DSS) compliant entities. 

But the two organisations insist the suspension is only temporary and that they are both making strenuous efforts to achieve revalidation.

PCI DSS is a set of requirements developed by the major global payment card networks – Visa, MasterCard, American Express, Discover and Japan’s JCB – that obligates organisations to take specific steps to secure cardholder data.

Merchants and processors are required to submit an annual on-site assessment in order to be validated.

PCI regulations stipulate that merchants are prohibited from conducting business with non-compliant organisations. However, of all the card brands associated with PCI DSS, it is only Visa that keeps a list of compliant organisations.

By removing the two from its list, Visa may be more motivated by protecting itself legally should any future lawsuits arise, rather than imposing punitive measures on the processors themselves, given that Heartland and RBS WorldPay were already confirmed as being PCI DSS-compliant at the time of their security breaches.

RBS WorldPay was the victim of an unprecedented global ATM breach in late 2008, which could have potentially compromised the data of 1.5 million prepaid cardholders.

Heartland revealed in January 2009 that its processing systems were breached by malicious software, potentially putting at risk millions of cardholders, having been initially alerted by Visa and MasterCard about the breach in mid-2008.

Following its removal from the PCI DSS compliance list, Heartland responded by saying that the intrusion has been “contained” and that it is still actively processing Visa transactions.

Heartland said that it was cooperating fully with Visa and other card brands to revalidate its PCI DSS status by no later than May 2009.

“We are currently undergoing our 2009 PCI DSS evaluation by a qualified security assessor [QSA] and are confident that this QSA is doing a thorough job,” the company said in a statement on its website.

“Many of the firm’s recommended enhancements to our security have already been implemented, and others will be as part of the current audit.”

“We were certified as PCI DSS-compliant for each of the past five years without any indication of major issues with any aspects of the PCI DSS regulations,” the statement continued.

“Nothing significant was changed in our system in the short time between our latest certification in April 2008 and the onset of the intrusion into our payment processing system in May 2008.”

An RBS WorldPay spokesperson told CI: “RBS WorldPay received its PCI Report on Compliance in June 2008 from a qualified assessor. Visa has asked us to obtain a new certificate of PCI compliance because of the recent data security compromise. We expect that Visa will remove us from its list of approved PCI-compliant processors until the new certification is complete. Our goal is to have a new Report on Compliance by April.”

Passing the buck?

The breaches focused attention on just how effective the PCI DSS standards really are, given that organisations at the moment need only to pass an annual check and be compliant with the rules at the time of their assessment.

But Visa’s chief enterprise risk officer, Ellen Richey, is adamant that the standards as they exist are sufficient, and that it is the responsibility of organisations seeking compliance to remain vigilant.

Richey added that payment card data fraud rates remain “near historic lows” despite economic turbulence and high-profile data breaches, and called for continued industry investment, collaboration and innovation to keep payment systems secure in the future.

“Massive incestments and innovative solutions have kept fraud rates near an all-time low,” said Richey.

“The best way to build on this track record is by having all players in the payment system share responsibility and maintain their investments in security – even during these times of economic challenge.”

NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. A weekly roundup of the latest news and analysis, sent every Wednesday.
I consent to GlobalData UK Limited collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU

Thank you for subscribing to Electronic Payments International