IMGCAP(1)]
Despite the removal of Heartland Payment Systems Inc. and RBS WorldPay from Visa Inc.'s list of PCI-compliant processors, Visa has assured merchants they can continue to use the processors without the threat of fines, according to Avivah Litan, an analyst with Gartner Inc., a Stamford, Conn.-based consultancy. In a report issued yesterday, Litan notes that Visa issued a statement to Gartner on March 19 attesting to this "safe harbor" status for merchants processing with Princeton, N.J.-based Heartland and Atlanta-based RBS WorldPay. Heartland's and RBS WorldPay's absence from the list of Payment Card Industry-compliant providers will not mean otherwise compliant merchants will be subject to non-compliance fines, the statement, which was released by Visa to CardLine, says. Visa also says it will considering relisting both processors as compliant once they have completed new security audits. Some merchants expressed confusion about the wisdom of continuing to use the companies to process their transactions, Litan's report notes. Heartland says it has sent cease-and-desist letters to competitors it alleges have told merchants they face being fined for using Heartland. The processor says it may sue those companies if they do not stop telling merchants that. Both Heartland and RBS WorldPay expect to attain PCI-compliant status in the coming weeks (CardLine, 3/16). Litan writes in her report that Visa consistently has argued that merchants should use PCI-compliant processors, "but the security breaches at the two processors placed the card brand in a difficult position. Visa had to stand by its long-standing policy, but its delisting decision had raised questions about whether the processors' clients could continue to do business with them. Visa clearly did not want to risk putting the processors out of business, partly because of the potentially enormous disruption to their hundreds of thousands of merchant customers." Asked if she believes the Visa response is contradictory, Litan in an e-mail message to CardLine earlier today noted that PCI enforcement is vague. "The rules are never very clear. This is another example of that. On the surface this represents a contradiction. But in practice, this is business as usual for PCI enforcement," she wrote. Besides assuaging merchant concerns about using Heartland and RBS WorldPay, the major card brands should make public their enforcement policies, provide ongoing policy clarifications and emphasize continuous cardholder-data security rather than relying PCI compliance as a solution, Litan says.
