Visa pulled Heartland Payment Systems and RBS WorldPay from its list of PCI compliant service providers, placing the two on probation until they close the holes that led to the massive data breaches reported in January and December. Both continue to serve as processors in the Visa system.
“Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a Qualified Security Assessor. Visa will consider re-listing both organizations following their submissions of their PCI DSS reports on compliance,” Visa said in a written statement.
Heartland was PCI compliant when last assessed in April 2008. In a written statement the company said it is “undergoing our 2009 PCI-DSS assessment now, which Heartland believes will be complete no later than May 2009 and will result in Heartland, once again, being assessed as PCI-DSS compliant.”
Similarly, RBS WorldPay says it was certified compliant last June, and is now going through the process of re-certification. “Visa has asked us to obtain a new certification of PCI compliance because of the recent data-security compromise. Visa has removed us from its list of approved PCI-compliant processors until the new certification is complete. Our goal is to have a new ROC by the end of April,” the company said in an e-mailed statement.
In the wake of the latest breaches, Visa has taken pains to underscore that the PCI DSS standard works when participants are in compliance. “The PCI DSS remains an effective security tool when implemented properly – and remains the best defense for businesses against the loss of sensitive data,” the company says.
Industry players disagree. As soon as the breach was reported, Heartland CEO Robert Carr sought higher ground, calling on the industry to move to end-to-end encryption to secure data, and for incident information sharing among industry participants.
The American Bankers Association is advocating that other partners in the payments industry be subject to the risk-based approach delineated in Gramm-Leach-Bliley Act that banks must follow, as well as the proscriptive PCI approach.
“We’re always interested in ensuring that our partners have to abide by the same information security standards that we do,” says Doug Johnson, vp of risk management policy at the ABA.