Heartland Data Breach: Visa Sets Deadline for Issuers to File Fraud Claims
Heartland, RBS WorldPay Removed from Visa's Compliant Service Providers ListThis news emerged late last week from a public statement by Visa, as well as from a letter sent by the credit card company to card-issuing banking institutions.
In the statement, Visa confirmed that both Heartland and RBS WorldPay as a result of their recent data breaches, have been removed from the company's Payment Card Industry Data Security Standard (PCI DSS) Compliant Service Providers list. This list represents the service providers that Visa has validated as being PCI DSS compliant for merchants and other businesses to run their credit card transactions.
Heartland is now considered to be "on probation," and can apply to be relisted once they revalidate PCI DSS compliance and meet other security stipulations. RBS has been removed from compliant service providers list and is now undergoing PCI recertification, according to an RBS spokesperson.
Heartland, according to spokesperson Jason Maloni, can still process Visa transactions during this probationary period.
In the letter about Heartland to banking institutions (a copy of the letter was obtained by Information Security Media Group, and its contents confirmed by recipients), Visa says:
So far, neither MasterCard nor any other credit card company has issued similar statements about Heartland's status or how/if institutions can recover money losses from the breach.
What it Means to Heartland, RBS WorldPay
Visa's action comes less than two months after Heartland announced on January 20 that its payment processing network had been breached by hackers in 2008. To date more than 600 financial institutions in the U.S. and Canada, Guam, and Bermuda have come forward to say their customers' debit and credit cards were compromised as a result of the breach.
RBS WorldPay, another U.S.-based payment processor, revealed last December that 1.5 million customer accounts were compromised in a breach that happened earlier in 2008. The RBS WorldPay breach was discovered after daring, well-orchestrated ATM robberies of $9 million occurred at locations around the globe on November 8.
Prior to this announcement, the last large payment processor removed from the list of compliant service providers was CardSystems, observes David Taylor, Founder of the PCI Knowledge Base, an independent PCI security organization. CardSystems Solutions was a payments processor that was breached in 2005, and subsequently Visa, MasterCard and other credit card companies stopped using it as a service provider. The company that subsequently bought CardSystems went out of business in early 2008.
"My first question is: While Visa still is allowing Heartland to process transactions during the probation period, what price will be inflicted upon them in terms of higher process transaction fees?" Taylor says. Visa's statement did not reveal the details of the terms of probation.
Visa's statement notes that both "Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a Qualified Security Assessor." Visa adds it will consider relisting both organizations following their submissions of their PCI DSS reports on compliance.
Heartland Payment Systems spokesman Jason Maloni says Heartland is "cooperating fully with Visa and other card brands, and we are committed to having a safe and secure processing environment."
Maloni says Heartland, which was certified as PCI DSS compliant in April 2008, "expects to continue to be assessed as PCI DSS compliant in the future." Maloni confirmed that Heartland is currently undergoing its 2009 PCI DSS assessment. "Heartland believes [the assessment] will be complete no later than May 2009 and will result in Heartland, once again, being assessed as PCI DSS compliant," says Maloni.
Visa's action evoked this statement from RBS WorldPay:
"RBS WorldPay received its Payment Card Industry (PCI) Report on Compliance (ROC) in June of 2008 by a qualified assessor. Visa has asked us to obtain a new certification of PCI compliance because of the recent data-security compromise. Visa has removed us from its list of approved PCI-compliant processors until the new certification is complete. Our goal is to have a new ROC by the end of April.
"There have been no material system changes that would have negatively altered this certification and we have in fact enhanced the security of our systems in the interim. Because of the criminal intrusion, we need to be recertified earlier than the normal schedule."
What it Means to Banking Institutions
In its March 12 letter, attributed to Chief Enterprise Risk Officer Ellen Richey, Visa takes the opportunity to underscore its support for PCI DSS. "These standards continue to serve as a robust and critical foundation to protect cardholder data and, when implemented properly, have proven to be highly effective in preventing and mitigating the impact of data compromises," the letter states. "Compromise events are a reminder of the importance for all parties in the payment system to maintain ongoing vigilance when it comes to protecting cardholder data. Each stakeholder in the Visa system has a critical role in our collective fight against the criminals that perpetuate card fraud."
Ever since the data breach was first announced, banking institutions have been outspoken in their outrage at once again (after the TJX and Hannaford breaches) having to replace cards and placate unhappy customers for fraud resulting from a vendor's security flaws. Visa addresses these concerns by declaring the Heartland breach eligible for the Account Data Compromise Recovery (ADCR) program, which allows issuers to recover "a portion of their losses" related to the compromised accounts.
Issuers have roughly two months, until May 19th, to report any fraud losses related to Heartland. Specific recovery amounts will not be determined until after that reporting deadline.
Visa's information on compromised cards and the steps to take is in Visa's "What To Do If Compromised".
Page 12 of this Visa document outlines the steps for acquirer and issuers to take in the event of a security breach. Institutions should contact their regional Visa representative for information on filing their loss claims.