Heartland Data Breach: Visa Questions Processor's PCI Compliance

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

This is the message from Adrian Phillips, Visa's Deputy Chief Enterprise Risk Officer, who in an exclusive interview hammers home the credit card company's support for the security standard - and suggests that, contrary to Heartland's own statements, the payment processor may not have been PCI compliant when it was breached sometime in 2008.

"We've never seen anyone who was breached that was PCI compliant," Phillips says without specifically naming - or excluding -- Heartland. "The breaches that we have seen have involved a key area of non-compliance."

Interviewed during last week's Visa Security Summit in Washington, D.C., Phillips acknowledges Heartland and other recent breaches, but uses them as an opportunity to support the PCI standard. "Let's remember we've had some bad breaches, but if we had not had PCI DSS, it would have been much worse," Phillips says. "As of today, I am confident that PCI DSS works."

Phillips comments come one week after news that Visa had removed Heartland Payment Systems from its certified PCI-DSS Compliant Service Providers list.

Gartner analyst Avivah Litan recommends that merchants and other card-acepting enterprises using Heartland take no action, "because the processor will likely be recertified soon." Litan says the Visa delisting should "nonetheless make it easier for [Visa] to help card issuers recover financial losses they may have suffered as a result of the breaches from the processor." She adds the delisting should also make it easier for Visa to impose fines, probably $150,000 or more, on Heartland.

New CAMS Alert Types

Beyond the Heartland breach, Phillips addressed several related security issues, including notice of potential breaches.

In response to questions from financial institutions that want a faster alert response when card compromises occur, Phillips says Visa has developed a tool he dubs the "traffic light" solution.

"Visa is trying to expedite the CAMS alerts," he says. "To be frank, it's a challenge, because it s not always absolutely clear to us that a compromise has occurred, and it sometimes takes time to sure that something has occurred."

The tool will send quicker alerts to issuers, he says. "So, for example, if we were less certain that a compromise had occurred, or that there was even a breach, we would send out a green alert." At the other end of the spectrum, he says would be the red alert "when we were absolutely certain that a breach had occurred." This will be a way to expedite alerts, although Phillips sees "there will be challenges to implementing this because on the other side is you don't want to give issuers too many false positives.

The issuers want to keep their customers, and Visa wants to keep their customers happy, "So we don't want to send out alerts with every little rumor," he says.

Visa on Encryption

When asked about the call from Heartland's Bob Carr for end-to-end encryption for the entire payment system, Phillips notes "We support encryption. Visa's systems support encryption, and PCI DSS says if you are encrypted that is a good thing within the standards."

Phillips personally supports encryption. "From encrypting at the point of sale terminal, such as the recent completion of the project for all Spanish merchants, which meant that all three of Spain's payment processors came together to do it. That protects everyone."

Phillips sees the three challenges with encryption as expense, speed and management. "Encryption is only as good as your key management system," he says. "But I don't want people to think that it's the answer for everything, because there's key management issue, and also there comes a point in time when you have to decrypt the message."

The industry has done a great job of getting people not to store prohibited card data. "But now these hackers are sniffing data in transit -- at the point someone decrypts is when the hacker gets the information," Phillips notes. "I'm pushing for [encryption], but I don't want people to think that it is the silver bullet for everything."

Is PCI In Need of Repair?

Just as other industry standards, such as accounting, are amended and changed over time, Phillips says PCI requirements must evolve as well. "The principal area we must focus on is the need for continuous monitoring for compliance," he says. "I think that people have been confusing the message. People are saying 'I have been found compliant,' when in fact they were found compliant on that one point in time when the assessment was done."

The analogy Phillips uses is accountants. "At Visa, we don't rely on accountants from KPMG to come in once a year to check our books. We have an accounts department with analysts and accountants, we have an internal audit department that checks our compliance, and we live by SOX (Sarbanes Oxley)," he says. "We have our team of accountants and internal auditors who sign off on it along with all of the senior management. They know if we aren't compliant, they could all go to jail."

PCI is at a much earlier stage than SOX is in terms of compliance. "Our aim at Visa is to ensure that compliance with PCI DSS is treated on an ongoing basis," he says. Visa is going to push that compliance out to make sure that the boards of these companies (merchants, processors, acquirers, and issuers) know that they need to be compliant with PCI DSS and are looking at it on a regular basis. "Just as they look at their accounting reports at their bi-monthly meetings, why shouldn't they be looking at PCI DSS?"

The levels of validated compliance are very good at the merchant and payment processor level, "But as we've seen with the recent breaches, they aren't good enough."

Phillips says the challenge moving forward for everyone will be the shared responsibility for PCI compliance. It has to involve and rely on the boards, internal audit departments and others within organizations to drive the ongoing monitoring in order to be PCI compliant. "It should not be the job of just one entity coming along with a stick and telling everyone to be PCI DSS compliant," he says.