Heartland Data Breach: Visa Questions Processor's PCI Compliance

Visa Executive: "We've Never Seen Anyone Who Was Breached That Was PCI Compliant"

By Linda McGlasson, March 24, 2009.
Heartland Data Breach: Visa Questions Processor's PCI Compliance


See Also: Fighting Financial Fraud: Mitigation for Malware, Phishing & DDoS Attacks

espite the Heartland Payment Systems (HPY) data breach and other noted compromises, Visa staunchly supports the Payment Card Industry Data Security Standard (PCI DSS).

This is the message from Adrian Phillips, Visa's Deputy Chief Enterprise Risk Officer, who in an exclusive interview hammers home the credit card company's support for the security standard - and suggests that, contrary to Heartland's own statements, the payment processor may not have been PCI compliant when it was breached sometime in 2008.

"We've never seen anyone who was breached that was PCI compliant," Phillips says without specifically naming - or excluding -- Heartland. "The breaches that we have seen have involved a key area of non-compliance."

Interviewed during last week's Visa Security Summit in Washington, D.C., Phillips acknowledges Heartland and other recent breaches, but uses them as an opportunity to support the PCI standard. "Let's remember we've had some bad breaches, but if we had not had PCI DSS, it would have been much worse," Phillips says. "As of today, I am confident that PCI DSS works."

Phillips comments come one week after news that Visa had removed Heartland Payment Systems from its certified PCI-DSS Compliant Service Providers list.

Gartner analyst Avivah Litan recommends that merchants and other card-acepting enterprises using Heartland take no action, "because the processor will likely be recertified soon." Litan says the Visa delisting should "nonetheless make it easier for [Visa] to help card issuers recover financial losses they may have suffered as a result of the breaches from the processor." She adds the delisting should also make it easier for Visa to impose fines, probably $150,000 or more, on Heartland.

New CAMS Alert Types

Beyond the Heartland breach, Phillips addressed several related security issues, including notice of potential breaches.

In response to questions from financial institutions that want a faster alert response when card compromises occur, Phillips says Visa has developed a tool he dubs the "traffic light" solution.

"Visa is trying to expedite the CAMS alerts," he says. "To be frank, it's a challenge, because it s not always absolutely clear to us that a compromise has occurred, and it sometimes takes time to sure that something has occurred."

The tool will send quicker alerts to issuers, he says. "So, for example, if we were less certain that a compromise had occurred, or that there was even a breach, we would send out a green alert." At the other end of the spectrum, he says would be the red alert "when we were absolutely certain that a breach had occurred." This will be a way to expedite alerts, although Phillips sees "there will be challenges to implementing this because on the other side is you don't want to give issuers too many false positives.

The issuers want to keep their customers, and Visa wants to keep their customers happy, "So we don't want to send out alerts with every little rumor," he says.

Visa on Encryption

When asked about the call from Heartland's Bob Carr for end-to-end encryption for the entire payment system, Phillips notes "We support encryption. Visa's systems support encryption, and PCI DSS says if you are encrypted that is a good thing within the standards."

Phillips personally supports encryption. "From encrypting at the point of sale terminal, such as the recent completion of the project for all Spanish merchants, which meant that all three of Spain's payment processors came together to do it. That protects everyone."

Phillips sees the three challenges with encryption as expense, speed and management. "Encryption is only as good as your key management system," he says. "But I don't want people to think that it's the answer for everything, because there's key management issue, and also there comes a point in time when you have to decrypt the message."

The industry has done a great job of getting people not to store prohibited card data. "But now these hackers are sniffing data in transit -- at the point someone decrypts is when the hacker gets the information," Phillips notes. "I'm pushing for [encryption], but I don't want people to think that it is the silver bullet for everything."

Is PCI In Need of Repair?

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE NPCI Launches Money Transfer Service

NPCI's new unified payment interface for smartphones aims to simplify mobile money transfer through...

Latest Tweets and Mentions

ARTICLE NPCI Launches Money Transfer Service

NPCI's new unified payment interface for smartphones aims to simplify mobile money transfer through...

The ISMG Network