News
Visa Slaps Payment Processors over Breaches, Defends PCI Rules
Two payment processors that recently disclosed data breaches have been dropped from Visa Inc.'s list of companies that comply with the PCI data security rules
By Jaikumar Vijayan, Computerworld
March 23, 2009 — Computerworld —
Two payment processors that recently disclosed data breaches have been dropped from Visa Inc.'s list of companies that comply with the PCI data security rules. But analysts said the move may be more about Visa protecting itself than about improving the security of payment card data.
Visa said on March 13 that it was dropping Heartland Payment Systems Inc. and RBS WorldPay Inc. from its PCI-compliant list. The company added that it would "consider" restoring Heartland and RBS WorldPay if they are recertified as compliant by third-party assessors.
Gartner Inc. analyst Avivah Litan said that, strictly speaking, Visa's actions mean merchants can't use either payment processor if they themselves want to remain compliant with the PCI rules, which are known as the Payment Card Industry Data Security Standard (PCI DSS).
It's highly unlikely, though, that Visa intends for the sanctions to be interpreted in such a restrictive way, Litan said. Instead, she contended, they appear to be designed primarily to give Visa legal protection and prevent Heartland and RBS WorldPay from using PCI DSS as a shield against breach-related lawsuits.
"This is all about Visa protecting Visa," agreed David Taylor, founder of PCI Knowledge Base, a Web site that offers advice on PCI-related issues.
Taylor acknowledged that the two breaches have created a "difficult situation" for Visa, which has taken the lead among credit card companies in trying to enforce the PCI rules. But Visa officials seem anxious to avoid getting into debates about the standard's effectiveness, he said.
In a speech at the Global Security Summit, which Visa held in Washington last week, Ellen Richey, Visa's chief enterprise risk officer, insisted that PCI is "an effective security tool when implemented properly."
The breach at Heartland wouldn't have happened, Richey said, if the payment processor had been vigilant about maintaining its PCI compliance. "No compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach," she said.
However, Heartland has said that its PCI compliance was validated by an auditor last April, only a month before the breach is thought to have begun.
Similarly, RBS WorldPay, which was certified as compliant last June, said last week that it has made "no material system changes that would have negatively altered the certification."
© 2009 Computerworld Inc.
Heartland
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- A Security Blueprint Delivered From within the Network
- Comparing Research In Motion and Microsoft Mobile Solutions
- The Total Economic Impact of Network Security Intrusion Prevention
- Protecting Your Intellectual Property White Paper
- Seven Technologies for Advanced Mail Protection
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
