BankInfoSecurity.com - Information Security News, Regulations, & Education

Just Released: Our Online Webinar Catalog

Bank Information Security Articles

Heartland Back on Visa's List as PCI Compliant

Credit
EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

RBS WorldPay Still Not Recertified After Data Breach

May 6, 2009 - Linda McGlasson, Managing Editor

Save

Digg

Delicious

Please login or register to save this article.

Comment on this article

Heartland Payment Systems (HPY) has made it back onto Visa's list of PCI DSS Validated Service Providers. The announcement comes almost six weeks after the credit card payment processor was taken off the list and four months since it announced its networks had been breached and credit card information stolen.

Calling the recertification its "annual PCI DSS assessment," Heartland says it was put back on the list on May 4. VeriSign was the company hired to do the recertification work, says Jason Maloni, Heartland's spokeperson. The list, www.visa.com/cisp, says Heartland was recertified on April 30, and VeriSign is listed as the Qualified Security Assessor (QSA).

Visa requires all service providers that store, process or transmit Visa account data to validate PCI DSS compliance every 12 months. Businesses that validate their PCI DSS compliance utilizing a qualified security assessor (QSA) are listed on Visa's List of Compliant Service Providers.

"Earlier this year, Heartland Payment Systems publicly disclosed unauthorized access to their systems resulting in the compromise of card account information from all major card brands. Based on compromise event findings, Visa removed Heartland from its list of PCI DSS compliant service providers," says Eduardo Perez, head of global data security at Visa

Perez says that since January 20, when Heartland first announced the data breach publicly, Heartland worked with a QSA (VeriSign) to revalidate and submit a Report on Compliance. "Visa has reviewed their report and is satisfied that previous deficiencies have been addressed," Perez states.

Click to Get Updates on the Latest Information Security News

Company*

Title*

Email*

Subscription Type:

Healthcare Enews

General Healthcare Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Government Enews

General Government Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Banking Enews

General Banking Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Credit Union Enews

General Credit Union Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Need Help?

Perez says Visa is pleased that Heartland has been committed to working diligently to improve its systems and meet the PCI DSS requirements. "It's essential that every business that handles payment card information adhere to the highest standards to protect the security and privacy of their customers' financial information. The PCI DSS remains an effective security tool when implemented properly - and remains the best defense for businesses against the loss of sensitive data."

The other company that was removed from the list during the same time period, RBS WorldPay, has not yet received recertification and is not back on the list. RBS WorldPay announced its computer systems were hacked in November 2008 and sent out notification letters (PDF) to affected cardholders beginning on December 23, 2008.

Next Related Article:

Latest List of NSA-Approved CAE Schools

What difference does it make to your institution that Heartland is once again PCI compliant?

Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.

Please login if you would like to post a comment on this question.

The PCI DSS are based on a common book of knowledge for information security best practices.

They are valid "standards" just as the FFIEC standards are valid.

The problem is most of these card processors were trying to pull a fast one and claim they had compensating controls that addressed those standards, when in reality they did not.

You must take a security approach to compliance. You waste more money chasing after a checkbox versus simply building a strong security program that as a byproduct easily demonstrates compliance.

My question is: do PCI checks and audits really serve the security cause?
Whyever Heatland was on the PCI compliant list before being compromised? This states the PCI audit or the PCI standard itself is not sufficient to preserve cardholders data.
Now that Heartland is on the PCI compliant list again doesn't ensure the data could not be compromised, as it has been before.

Topics of Interest

Office of Thrift Supervision

Identity Theft Red Flags Rule Survey: Executive Summary
Regulatory Reform: Dodd's Bill Analyzed

Office Comptroller of Currency

OCC Bulletin 2008-16: A Blueprint for Compliance
Application Security Survey Results: Executive Summary

CA Bill 1386

California Senate Bill 1386
Massachusetts Data Protection Law: What Your Business Needs to Know

Mortgage

Mortgage Fraud: New Schemes Emerge
Mortgage Fraud: Compliance to be a Challenge

Federal Reserve Board

Regulatory Reform: Dodd's Bill Analyzed
Regulatory Reform: "We're Easy Targets" - Alex Sanchez, Florida Bankers Association

Identity Theft Red Flags Rule

Identity Theft Red Flags Rule Survey: Executive Summary
Identity Theft Red Flags Rule Compliance Survival Guide

Latest Tweets & Mentions

Recent Content
Most Popular

1Heartland, Discover Settle at $5 Million
2How to Protect Consumers from ID Theft
3The Mobile Mandate
4Church Latest Victim of ACH Fraud
5Video: Why Cyber Challenge is Needed
6FDIC: 829 Troubled Banks
7ID Theft: Courts Cracking Down
810 Tips to Thwart Skimming
9Skimming: Old Crime, New Tools
10Key Elements of Risk Management

1Failed Banks and Credit Unions, 2010
22010 Data Breach Timeline
3Pay-At-The-Pump Skimming on the Rise
4Account Takeover: The New Wrinkle
5Tapping the Power of Social Media
6ATM Skimming: How Effective is Jitter?
741 Banking Breaches So far in 2010
8New Fraud Spree Investigated
9Social Media Policy - The 6 Essentials
10FDIC: Top 5 Fraud Threats

BankInfoSecurity.com Research

Podcast:Mortgage Fraud: Compliance to be a Challenge
Webinar:Key Considerations for Business Resiliency
Handbook:2010 Webinar Catalog
White Paper:Understanding Man-in-the-Browser Attacks and Addressing the Problem
Regulation:FHFA: Issues Subpoenas for PLS Documents

Recent Blog Entries

Be Mindful of Insider Fraud Against Seniors

California's Financial Abuse Reporting Act, SB 1018, which r…

Read The Agency Insider by Linda McGlasson

Vendor Solutions

41st Parameter

Solutions For:

Biometrics
3i Infotech

Solutions For:

Anti-Money Laundering, Fraud Detection

Marketplace

Information Security Media Group - Family of Websites

Banking

BankInfoSecurity.com
Careers
Blogs

Credit Unions

CUInfoSecurity.com
Careers
Blogs

Government

GovInfoSecurity.com
Careers
Blogs

Healthcare

HealthcareInfoSecurity.com
Careers
Blogs

About Us
Contact Us
Site Map
Terms of Service
Advertise
RSS

BankInfoSecurity NewsGet the RSS Feed
Agency ReleasesGet the RSS Feed
Latest ArticlesGet the RSS Feed
WebinarsGet the RSS Feed
BankInfoSecurity.com BlogGet the RSS Feed

Home
Training
Resources
Content Library
- Agency Releases
- Articles
- Handbooks
- Podcasts
- Surveys
- Webinars | Calendar
- White Papers
Careers
Blog

Advanced Search

Browse Topics

Agencies

Federal Deposit Insurance Corp
Federal Reserve Board
Federal Trade Commission
FFIEC
FHFA
FinCEN
Government Accountability Office
National Credit Union Admin.
NIST
Office Comptroller of Currency
Office of Thrift Supervision

Anti-Money Laundering

Banking Today

Confidence In Banking

Business Continuity & Disaster Recovery

Pandemic Preparation

Compliance

Bank Secrecy Act
Basel II
CA Bill 1386
E-SIGN Act
FACTA
Gramm-Leach-Bliley Act
Guidance
Identity Theft Red Flags Rule
NCUA Part 748
Patriot Act
PCI DSS
Sarbanes-Oxley Act

Emerging Technology

Application Security
Authentication
Cloud Computing
Data Loss
Encryption
GRC
ID Access & Management
Messaging
Mobile Banking
Network/Perimeter
Remote Capture
SIM/SEM
Social Media
Storage
Web Security

Fraud

ACH
ATM
Check
Debit, Credit, Prepaid Cards
First Party
Insider
Mortgage
Payments
Wire

Governance & Standards

BITS
Cobit
COSO
FFIEC Handbook
ISO
ITGI
ITIL
PCAOB

Identity Theft

Pharming
Phishing
Skimming

Leadership & Management

Physical Security

Biometrics

Risk Management

HR
Incident Response
Information Security Compliance
Insider Threat
IT Audit
Privacy
Risk Assessment
Social Engineering
Vendor Management

Training & Education

FHFA: Issues Subpoenas for PLS Documents..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
FFIEC Issues 2009 Mortgage Fraud White Paper:The Detection and Deterrence of Mortgage..Next Topic
DoJ: Report to Congress on Implementation of Section 1001 of the USA PATRIOT Act..Next Topic
FDIC: Fraudulent Work-at-Home Funds Transfer Agent Schemes..Next Topic
Joint Statement by Education Secretary Duncan, Homeland Security Secretary Napolitano and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
NIST: PIV Card Application and Middleware Interface Test Guidelines, SP800-85A-1..Next Topic

A-
A
A+