Two payment processors that recently disclosed data breaches have been dropped from Visa Inc.'s list of companies that comply with the PCI data security rules Two payment processors that recently disclosed data breaches have been dropped from Visa Inc.’s list of companies that comply with the PCI data security rules. But analysts said the move may be more about Visa protecting itself than about improving the security of payment card data.Visa said on March 13 that it was dropping Heartland Payment Systems Inc. and RBS WorldPay Inc. from its PCI-compliant list. The company added that it would “consider” restoring Heartland and RBS WorldPay if they are recertified as compliant by third-party assessors.Gartner Inc. analyst Avivah Litan said that, strictly speaking, Visa’s actions mean merchants can’t use either payment processor if they themselves want to remain compliant with the PCI rules, which are known as the Payment Card Industry Data Security Standard (PCI DSS).It’s highly unlikely, though, that Visa intends for the sanctions to be interpreted in such a restrictive way, Litan said. Instead, she contended, they appear to be designed primarily to give Visa legal protection and prevent Heartland and RBS WorldPay from using PCI DSS as a shield against breach-related lawsuits. “This is all about Visa protecting Visa,” agreed David Taylor, founder of PCI Knowledge Base, a Web site that offers advice on PCI-related issues.Taylor acknowledged that the two breaches have created a “difficult situation” for Visa, which has taken the lead among credit card companies in trying to enforce the PCI rules. But Visa officials seem anxious to avoid getting into debates about the standard’s effectiveness, he said. In a speech at the Global Security Summit, which Visa held in Washington last week, Ellen Richey, Visa’s chief enterprise risk officer, insisted that PCI is “an effective security tool when implemented properly.”The breach at Heartland wouldn’t have happened, Richey said, if the payment processor had been vigilant about maintaining its PCI compliance. “No compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach,” she said.However, Heartland has said that its PCI compliance was validated by an auditor last April, only a month before the breach is thought to have begun.Similarly, RBS WorldPay, which was certified as compliant last June, said last week that it has made “no material system changes that would have negatively altered the certification.” Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe