Heartland Data Breach: Visa Sets Deadline for Issuers to File Fraud Claims

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Heartland Payment Systems (HPY) has been removed from Visa's list of compliant service providers, and banking institutions affected by the Heartland data breach have until May 19 to file their fraud claims with Visa.

This news emerged late last week from a public statement by Visa, as well as from a letter sent by the credit card company to card-issuing banking institutions.

In the statement, Visa confirmed that both Heartland and RBS WorldPay as a result of their recent data breaches, have been removed from the company's Payment Card Industry Data Security Standard (PCI DSS) Compliant Service Providers list. This list represents the service providers that Visa has validated as being PCI DSS compliant for merchants and other businesses to run their credit card transactions.

Heartland is now considered to be "on probation," and can apply to be relisted once they revalidate PCI DSS compliance and meet other security stipulations. RBS has been removed from compliant service providers list and is now undergoing PCI recertification, according to an RBS spokesperson.

Heartland, according to spokesperson Jason Maloni, can still process Visa transactions during this probationary period.

In the letter about Heartland to banking institutions (a copy of the letter was obtained by Information Security Media Group, and its contents confirmed by recipients), Visa says:

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

So far, neither MasterCard nor any other credit card company has issued similar statements about Heartland's status or how/if institutions can recover money losses from the breach.

What it Means to Heartland, RBS WorldPay

Visa's action comes less than two months after Heartland announced on January 20 that its payment processing network had been breached by hackers in 2008. To date more than 600 financial institutions in the U.S. and Canada, Guam, and Bermuda have come forward to say their customers' debit and credit cards were compromised as a result of the breach.

RBS WorldPay, another U.S.-based payment processor, revealed last December that 1.5 million customer accounts were compromised in a breach that happened earlier in 2008. The RBS WorldPay breach was discovered after daring, well-orchestrated ATM robberies of $9 million occurred at locations around the globe on November 8.

Prior to this announcement, the last large payment processor removed from the list of compliant service providers was CardSystems, observes David Taylor, Founder of the PCI Knowledge Base, an independent PCI security organization. CardSystems Solutions was a payments processor that was breached in 2005, and subsequently Visa, MasterCard and other credit card companies stopped using it as a service provider. The company that subsequently bought CardSystems went out of business in early 2008.

"My first question is: While Visa still is allowing Heartland to process transactions during the probation period, what price will be inflicted upon them in terms of higher process transaction fees?" Taylor says. Visa's statement did not reveal the details of the terms of probation.

Visa's statement notes that both "Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a Qualified Security Assessor." Visa adds it will consider relisting both organizations following their submissions of their PCI DSS reports on compliance.

Heartland Payment Systems spokesman Jason Maloni says Heartland is "cooperating fully with Visa and other card brands, and we are committed to having a safe and secure processing environment."

Maloni says Heartland, which was certified as PCI DSS compliant in April 2008, "expects to continue to be assessed as PCI DSS compliant in the future." Maloni confirmed that Heartland is currently undergoing its 2009 PCI DSS assessment. "Heartland believes [the assessment] will be complete no later than May 2009 and will result in Heartland, once again, being assessed as PCI DSS compliant," says Maloni.

Visa's action evoked this statement from RBS WorldPay: