March 17, 2009, 8:55 PM — Visa Inc. last week removed breached payment processors Heartland Payment Systems Inc. and RBS WorldPay Inc. from its list of companies that are compliant with the PCI data security rules. But analysts said the move may be more about protecting Visa itself than about safeguarding payment card data.
In a terse statement issued last Friday, Visa said it was removing Heartland and RBS WorldPay from its list of PCI-compliant service providers (download PDF) in response to the recent data breaches disclosed by each company. The decision to delist the two payment processors was based on "compromise event findings," Visa said without elaborating. The company added that it would "consider" Heartland and RBS WorldPay back on the compliant list, but only after they are recertified by a third-party assessor.
Meanwhile, reports posted by online news site BankInfoSecurity.com and several blogs that follow the payment card industry blogs also cited a March 12 letter from a Visa executive to banks notifying them that Heartland was now "in a probationary period" during which it would have to meet more stringent security requirements than usual.
Strictly speaking, said Gartner Inc. analyst Avivah Litan, Visa's actions mean that merchants can't use either Heartland or RBS WorldPay to process payments if they themselves want to remain compliant with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS).
It's highly unlikely, though, that Visa intends for its sanctions against the two payment processors to be interpreted in such a restrictive way, Litan said. Heartland and RBS WorldPay are among the largest payment processors in the U.S., with hundreds of thousands of customers between them. According to Litan and other analysts, it's unrealistic to expect merchants that rely on those two companies to switch to other payment processing vendors, at least in the short term.
Instead, the sanctions appear be designed primarily to take Visa out of the picture in any legal battles that may ensue as banks and credit unions try to recoup breach-related costs from Heartland and RBS WorldPay, Litan said.
Under Visa's security rules, she noted, a breached entity can avoid fines if it can show that it was in full compliance with the PCI DSS requirements before and at the time when the breach occurred. Both Heartland and RBS WorldPay previously asserted that they had been assessed as being fully PCI-compliant prior to their respective breaches. Visa now appears to be attempting to make a case that neither company was compliant - a tactic that Litan thinks is aimed at preventing them from using PCI as a shield against lawsuits being filed by banks.
"It's all legal maneuvering by Visa," Litan said. "This is PCI enforcement as usual: They're making the rules up as they go."
David Taylor, founder of PCI Knowledge Base, a Web site that offers advice on PCI-related issues, said he isn't sure exactly what it means for a payment processor to be put on probation by Visa. But he added that he sees the delistings and Heartland's reported probation as an attempt by Visa to show banks and the general public that it's doing something to penalize Heartland and RBS WorldPay for their breaches.
"It's a difficult situation for [Visa]," Taylor said. "Here are two of their larger payment providers with breaches within a relatively short period. Visa wants to let people know that they are serious about security." At the same time, the credit card company appears anxious to avoid any discussions about the effectiveness of the PCI standards, he added.
Taylor agreed with Litan that Visa's move to delist Heartland and RBS WorldPay from its PCI-compliant will have little real impact on merchants that do business with the payment processors. "Just because they're no longer on Visa's list doesn't invalidate the contracts that merchants have with these two processors," he said. "This is all about Visa protecting Visa."
RBS WorldPay, an Atlanta-based division of The Royal Bank of Scotland Group, disclosed in December that the personal data of about 1.5 million holders of prepaid payroll and gift cards had been compromised during a system intrusion there (download PDF). Princeton, N.J.-based Heartland reported a similar breach in January; the company, which processes more than 100 million transactions per month, has yet to say how many card numbers were compromised in the intrusion.
There is precedent for harsh action to be taken against a payment processor that has been breached. When CardSystems Solutions Inc., then a major payment processor, was hit by a data breach that compromised about 40 million payment cards in 2005 - just months after the first version of the PCI standard was announced - Visa and American Express Co. stopped doing business with CardSystems. It was later sold to another company that has since gone out of business.
But Jim Huguelet, an independent PCI analyst in Bolingbrook, Ill., said that Visa's relatively modest sanctions against Heartland and RBS WorldPay are understandable given the "competing interests" that the credit card company has to consider in such cases. "Ultimately, a card processor is a business partner of Visa and the other payment brands - and it's difficult to levy significant sanctions against one of your largest business partners," he said.
In response to a request for comment about the sanctions, Heartland said via e-mail that it is "cooperating fully with Visa and other card brands" to ensure that the payment processing environment is secure. The statement made no mention of Heartland's removal from the Visa PCI-compliant list or of its reported probation. But Heartland did say that it is undergoing its 2009 PCI assessment and that it hopes to be certified as fully compliant with the security rules by "no later than May 2009."
Also by e-mail, RBS WorldPay acknowledged that it had been removed from the PCI-compliant list and said that Visa had asked it to obtain a new certification of compliance because of the breach. The payment processor, which was certified as compliant with the PCI rules last June, said its goal is to be recertified by the end of April.
"There have been no material system changes that would have negatively altered [last June's] certification, and we have in fact enhanced the security of our systems in the interim," RBS WorldPay said. "[But] because of the criminal intrusion, we need to be recertified earlier than the normal schedule."
Visa, meanwhile, declined to comment on the implications of its move to delist the two companies, including the issue of whether merchants would be required to sign up with new payment processors in order to remain PCI-compliant.
