Heartland Regains PCI Compliant Status
By Anthony M. Freed, Information-Security-Resources.com Managing Editor
Heartland Payment Systems (HPY) announced via email that they have regainrd a PCI compliant status following less than two months of suspension.
Heartland’s removal from the list of compliant payment processors had followed revelations that the company suffered what may be the largest data breach of payment card information to date.
Details of the incident and similar events at RBS WorldPay (RBS) have not been made available due to ongoing investigations.
PCI DSS is the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security best practices throughout the industry.
Heartland’s email:
HEARTLAND PAYMENT SYSTEMS RETURNS TO VISA’S LIST OF PCI DSS VALIDATED SERVICE PROVIDERS
Princeton, N.J. (May 1, 2009) – Following the completion of its annual Payment Card Industry Data Security Standard (PCI DSS) assessment, Heartland Payment Systems has successfully validated its compliance with PCI DSS. As such, Heartland is returning to Visa’s List of PCI DSS Validated Service Providers. According to Visa, Heartland will appear on the list – which can be found at www.visa.com/cisp — on Monday, May 4.
Heartland, one of the largest credit card processors in North America, had finally been sanctioned in March of this year for the lapses in their security standards that contributed to the 2008 breach:
On January 20th of this year, Heartland Payment Systems (HPS) publicly disclosed a large-scale compromise involving account data from all card brands. In light of this event, Visa has taken the following actions to help protect the Visa system:
Removal from Visa’s List of Compliant Service Providers - Visa has removed Heartland from its online list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers. HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards. The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions.
System Participation - HPS is now in a probationary period, during which it is subject to a number of risk conditions including more stringent security assessments, monitoring and reporting. Subject to these conditions, Heartland will continue to serve as a processor in the Visa system.
The suspension was really in name only, as Heartland was allowed to continue business as usual while obtaining re-certification of their PCI compliance, something they would have been required to complete regardless of Visa’s (V) actions.
Compliance re-certification is required on a yearly basis anyway.
So here we are back at square one, with little improvement in security for an industry that can arguably be considered crucial to our national security, as well as our individual financial identities.
And the industry overall is no better off, as a weak economy yields meager revenues and ever tighter budgets for the IT Security professionals whose job it is to always do more with less.
The future of PCI DSS is at stake, yet the leadership required to secure its future and the much needed cooperation of all interested parties appears to have been tabled in favor of the status quo.
The biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will face in perpetuity, but instead from the fractured portrait of an industry in crisis and its inability to effectively manage itself.
* * *
Stay Informed With ISR News Alerts:
* * *
Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.
The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
Filed under: Anthony M. Freed, Breach, Class Action Lawsuit, D&O Liability, FEATURE ARTICLE, Financial, PCI, Sarbanes-Oxley, Uncategorized, hackers, identity-theft, national security
Comments
One Comment on Heartland Regains PCI Compliant Status
-
The Merchant Maven on
Mon, 4th May 2009 6:01 am
Anthony:
I will repost your article on my blog…and give u credit of course!
I love the line where you say: ” I again offer my opinion that the biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will certainly face in perpetuity, but instead comes from the fractured portrait of an industry in crisis, and its inability to effectively manage itself.”
How right I think you are. It’s just another example of the awful times we are in:
100 year old automobile juggernauts cannot manage themselves, established banks cannot manage themselves; the securities industry, especially hedge funds, have been incapable of anything approaching responsible self regulation and management. And yes, the credit card processing industry needs to smell the coffee as well.
I think everyone needs to go back to school!
Regards,
The Merchant Maven
themerchantmaven.com
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
