Heartland Back on Visa's List as PCI Compliant RBS WorldPay Still Not Recertified After Data Breach
Heartland Payment Systems (HPY) has made it back onto Visa's list of PCI DSS Validated Service Providers. The announcement comes almost six weeks after the credit card payment processor was taken off the list and four months since it announced its networks had been breached and credit card information stolen.

Calling the recertification its "annual PCI DSS assessment," Heartland says it was put back on the list on May 4. VeriSign was the company hired to do the recertification work, says Jason Maloni, Heartland's spokeperson. The list, www.visa.com/cisp, says Heartland was recertified on April 30, and VeriSign is listed as the Qualified Security Assessor (QSA).

Visa requires all service providers that store, process or transmit Visa account data to validate PCI DSS compliance every 12 months. Businesses that validate their PCI DSS compliance utilizing a qualified security assessor (QSA) are listed on Visa's List of Compliant Service Providers.

"Earlier this year, Heartland Payment Systems publicly disclosed unauthorized access to their systems resulting in the compromise of card account information from all major card brands. Based on compromise event findings, Visa removed Heartland from its list of PCI DSS compliant service providers," says Eduardo Perez, head of global data security at Visa

Perez says that since January 20, when Heartland first announced the data breach publicly, Heartland worked with a QSA (VeriSign) to revalidate and submit a Report on Compliance. "Visa has reviewed their report and is satisfied that previous deficiencies have been addressed," Perez states.

Perez says Visa is pleased that Heartland has been committed to working diligently to improve its systems and meet the PCI DSS requirements. "It's essential that every business that handles payment card information adhere to the highest standards to protect the security and privacy of their customers' financial information. The PCI DSS remains an effective security tool when implemented properly - and remains the best defense for businesses against the loss of sensitive data."

The other company that was removed from the list during the same time period, RBS WorldPay, has not yet received recertification and is not back on the list. RBS WorldPay announced its computer systems were hacked in November 2008 and sent out notification letters (PDF) to affected cardholders beginning on December 23, 2008.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.





Around the Network