Heartland Data Breach: Visa Sets Deadline for Issuers to File Fraud Claims

Heartland, RBS WorldPay Removed from Visa's Compliant Service Providers List

By Linda McGlasson, March 16, 2009.
Heartland Data Breach: Visa Sets Deadline for Issuers to File Fraud Claims


See Also: Cybersecurity, Digital Transformation and Resiliency - A Lesson for Financial Services Institutions

b>Heartland Payment Systems (HPY) has been removed from Visa's list of compliant service providers, and banking institutions affected by the Heartland data breach have until May 19 to file their fraud claims with Visa.

This news emerged late last week from a public statement by Visa, as well as from a letter sent by the credit card company to card-issuing banking institutions.

In the statement, Visa confirmed that both Heartland and RBS WorldPay as a result of their recent data breaches, have been removed from the company's Payment Card Industry Data Security Standard (PCI DSS) Compliant Service Providers list. This list represents the service providers that Visa has validated as being PCI DSS compliant for merchants and other businesses to run their credit card transactions.

Heartland is now considered to be "on probation," and can apply to be relisted once they revalidate PCI DSS compliance and meet other security stipulations. RBS has been removed from compliant service providers list and is now undergoing PCI recertification, according to an RBS spokesperson.

Heartland, according to spokesperson Jason Maloni, can still process Visa transactions during this probationary period.

In the letter about Heartland to banking institutions (a copy of the letter was obtained by Information Security Media Group, and its contents confirmed by recipients), Visa says:

Heartland is now "in a probationary period" and subject to several risk conditions, including "more stringent security assessments, monitoring and reporting."
Heartland's sponsoring banks will be assessed undisclosed fines as a result of the data breach.
Card issuers can recover an unspecified portion of losses connected to the Heartland breach, but they face a May 19 deadline to file their claims with Visa.

So far, neither MasterCard nor any other credit card company has issued similar statements about Heartland's status or how/if institutions can recover money losses from the breach.

What it Means to Heartland, RBS WorldPay

Visa's action comes less than two months after Heartland announced on January 20 that its payment processing network had been breached by hackers in 2008. To date more than 600 financial institutions in the U.S. and Canada, Guam, and Bermuda have come forward to say their customers' debit and credit cards were compromised as a result of the breach.

RBS WorldPay, another U.S.-based payment processor, revealed last December that 1.5 million customer accounts were compromised in a breach that happened earlier in 2008. The RBS WorldPay breach was discovered after daring, well-orchestrated ATM robberies of $9 million occurred at locations around the globe on November 8.

Prior to this announcement, the last large payment processor removed from the list of compliant service providers was CardSystems, observes David Taylor, Founder of the PCI Knowledge Base, an independent PCI security organization. CardSystems Solutions was a payments processor that was breached in 2005, and subsequently Visa, MasterCard and other credit card companies stopped using it as a service provider. The company that subsequently bought CardSystems went out of business in early 2008.

"My first question is: While Visa still is allowing Heartland to process transactions during the probation period, what price will be inflicted upon them in terms of higher process transaction fees?" Taylor says. Visa's statement did not reveal the details of the terms of probation.

Visa's statement notes that both "Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a Qualified Security Assessor." Visa adds it will consider relisting both organizations following their submissions of their PCI DSS reports on compliance.

Heartland Payment Systems spokesman Jason Maloni says Heartland is "cooperating fully with Visa and other card brands, and we are committed to having a safe and secure processing environment."

Maloni says Heartland, which was certified as PCI DSS compliant in April 2008, "expects to continue to be assessed as PCI DSS compliant in the future." Maloni confirmed that Heartland is currently undergoing its 2009 PCI DSS assessment. "Heartland believes [the assessment] will be complete no later than May 2009 and will result in Heartland, once again, being assessed as PCI DSS compliant," says Maloni.

Visa's action evoked this statement from RBS WorldPay:

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Feds Arrest 'Silk Road' Investigators

The U.S. Department of Justice has charged two former federal agents with money laundering and wire...

Latest Tweets and Mentions

ARTICLE Feds Arrest 'Silk Road' Investigators

The U.S. Department of Justice has charged two former federal agents with money laundering and wire...

The ISMG Network