Calling the recertification its "annual PCI DSS assessment," Heartland says it was put back on the list on May 4. VeriSign was the company hired to do the recertification work, says Jason Maloni, Heartland's spokeperson. The list, www.visa.com/cisp, says Heartland was recertified on April 30, and VeriSign is listed as the Qualified Security Assessor (QSA).
Visa requires all service providers that store, process or transmit Visa account data to validate PCI DSS compliance every 12 months. Businesses that validate their PCI DSS compliance utilizing a qualified security assessor (QSA) are listed on Visa's List of Compliant Service Providers.
"Earlier this year, Heartland Payment Systems publicly disclosed unauthorized access to their systems resulting in the compromise of card account information from all major card brands. Based on compromise event findings, Visa removed Heartland from its list of PCI DSS compliant service providers," says Eduardo Perez, head of global data security at Visa
Perez says that since January 20, when Heartland first announced the data breach publicly, Heartland worked with a QSA (VeriSign) to revalidate and submit a Report on Compliance. "Visa has reviewed their report and is satisfied that previous deficiencies have been addressed," Perez states.
Perez says Visa is pleased that Heartland has been committed to working diligently to improve its systems and meet the PCI DSS requirements. "It's essential that every business that handles payment card information adhere to the highest standards to protect the security and privacy of their customers' financial information. The PCI DSS remains an effective security tool when implemented properly - and remains the best defense for businesses against the loss of sensitive data."
The other company that was removed from the list during the same time period, RBS WorldPay, has not yet received recertification and is not back on the list. RBS WorldPay announced its computer systems were hacked in November 2008 and sent out notification letters (PDF) to affected cardholders beginning on December 23, 2008.