Visa removes Heartland and RBS WorldPay from PCI DSS list (Update 2)

by Steve Ragan - Mar 13 2009, 23:27

Update 2:

RBS WorldPay issued the following to The Tech Herald:

“RBS WorldPay received its Payment Card Industry (PCI) Report on Compliance (ROC) in June of 2008 by a qualified assessor. Visa has asked us to obtain a new certification of PCI compliance because of the recent data-security compromise. Visa has removed us from its list of approved PCI-compliant processors until the new certification is complete. Our goal is to have a new ROC by the end of April.”
 
“There have been no material system changes that would have negatively altered this certification and we have in fact enhanced the security of our systems in the interim. Because of the criminal intrusion, we need to be recertified earlier than the normal schedule.”

When asked about the notices in February, the RBS Spokesperson said, “there was no new breach.” This leaves it open to speculation that the original breach was worse than previously thought, considering the information available [See related articles. Heartland said the same thing, along with Visa].

Update:

Heartland has sent the following statement:

“Heartland Payment Systems is pleased to continue our long relationship with Visa. Heartland is cooperating fully with Visa and other card brands and we are committed to having a safe and secure processing environment. Heartland was certified as PCI-DSS compliant in April 2008 and expects to continue to be assessed as PCI-DSS compliant in the future. We're undergoing our 2009 PCI-DSS assessment now, which Heartland believes will be complete no later than May 2009 and will result in Heartland, once again, being assessed as PCI-DSS compliant.”

Original article follows:

In a statement issued this afternoon, Visa has said that Heartland Payment systems and RBS WorldPay have been removed from its list of PCI DSS-compliant service providers. 

“As part of our commitment to data security and fraud prevention, Visa joined others in the industry to create the Payment Card Industry Data Security Standard (PCI DSS), a single standard that serves as a consistent framework of data security requirements. Compliance with the PCI DSS has significantly reduced unauthorized access to cardholder data,” Visa’s statement said.

“Recently, Heartland Payment Systems and RBS WorldPay publicly disclosed unauthorized access to their systems resulting in the compromise of card account information from all major card brands. Based on compromise event findings, Visa has removed Heartland and RBS WorldPay from its list of PCI DSS compliant service providers...Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a Qualified Security Assessor. Visa will consider relisting both organizations following their submissions of their PCI DSS reports on compliance.”

The Tech Herald has requested comment from both Heartland and RBS WorldPay. If they respond, we will update this article.

Moreover, the spokesperson from Visa couldn't comment on if the de-listing was due to the previously reported breaches, or if the de-listing was tied to the alerts that started to circulate last month. To date, RBS WorldPay has yet to address rumors that their original network breach led to far more loss than reported.

“It’s essential that every business that handles payment card information adhere to the highest standards to protect the security and privacy of their customers’ financial information. The PCI DSS remains an effective security tool when implemented properly – and remains the best defense for businesses against the loss of sensitive data,” Visa added.

While Visa makes a point, there is one important fact businesses must remember, PCI compliance does not mean instant security.

“The PCI DSS has driven many organizations to implement important security controls that provide better protection of card holder data which raise the difficulty level and the resources required for unauthorized access of cardholder data. However, the PCI DSS is imperfect because every organization’s risk profile, processes and systems are different," Gretchen Hellman, vice president of security solutions at Vormetric, told The Tech Herald.

"Given that, a strong security program cannot be placed into a universal checklist of items, but needs to come from balancing risk and business impacts with controls. [Heartland's] breach is a primary demonstration that the harder you make security to bypass, the more sophisticated the attacks become."

The Tech Herald: RBS WorldPay has yet to address rumors - are they the third breach?

The Tech Herald: Another payment processor has been breached, but which one?

The Tech Herald: Does the Heartland breach prove PCI useless?

The Tech Herald: Arrests made for using Heartland’s hijacked credit card numbers

Around the Web