Visa Slaps Payment Processors over Breaches, Defends PCI Rules

Two payment processors that recently disclosed data breaches have been dropped from Visa Inc.'s list of companies that comply with the PCI data security rules

Two payment processors that recently disclosed data breaches have been dropped from Visa Inc.'s list of companies that comply with the PCI data security rules. But analysts said the move may be more about Visa protecting itself than about improving the security of payment card data.

Visa said on March 13 that it was dropping Heartland Payment Systems Inc. and RBS WorldPay Inc. from its PCI-compliant list. The company added that it would "consider" restoring Heartland and RBS WorldPay if they are recertified as compliant by third-party assessors.

Gartner Inc. analyst Avivah Litan said that, strictly speaking, Visa's actions mean merchants can't use either payment processor if they themselves want to remain compliant with the PCI rules, which are known as the Payment Card Industry Data Security Standard (PCI DSS).

It's highly unlikely, though, that Visa intends for the sanctions to be interpreted in such a restrictive way, Litan said. Instead, she contended, they appear to be designed primarily to give Visa legal protection and prevent Heartland and RBS WorldPay from using PCI DSS as a shield against breach-related lawsuits.

"This is all about Visa protecting Visa," agreed David Taylor, founder of PCI Knowledge Base, a Web site that offers advice on PCI-related issues.

Taylor acknowledged that the two breaches have created a "difficult situation" for Visa, which has taken the lead among credit card companies in trying to enforce the PCI rules. But Visa officials seem anxious to avoid getting into debates about the standard's effectiveness, he said.

In a speech at the Global Security Summit, which Visa held in Washington last week, Ellen Richey, Visa's chief enterprise risk officer, insisted that PCI is "an effective security tool when implemented properly."

The breach at Heartland wouldn't have happened, Richey said, if the payment processor had been vigilant about maintaining its PCI compliance. "No compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach," she said.

However, Heartland has said that its PCI compliance was validated by an auditor last April, only a month before the breach is thought to have begun.

Similarly, RBS WorldPay, which was certified as compliant last June, said last week that it has made "no material system changes that would have negatively altered the certification."

Copyright © 2009 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!