Heartland Payment Systems (HPY) announced via email that they have regainrd a PCI compliant status following less than two months of suspension.
Heartland’s removal from the list of compliant payment processors had followed revelations that the company suffered what may be the largest data breach of payment card information to date.
Details of the incident and similar events at RBS WorldPay (RBS) have not been made available due to ongoing investigations.
PCI DSS is the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security best practices throughout the industry.
HEARTLAND PAYMENT SYSTEMS RETURNS TO VISA’S LIST OF PCI DSS VALIDATED SERVICE PROVIDERS
Princeton, N.J. (May 1, 2009) – Following the completion of its annual Payment Card Industry Data Security Standard (PCI DSS) assessment, Heartland Payment Systems has successfully validated its compliance with PCI DSS. As such, Heartland is returning to Visa’s List of PCI DSS Validated Service Providers. According to Visa, Heartland will appear on the list – which can be found at www.visa.com/cisp — on Monday, May 4.
Heartland, one of the largest credit card processors in North America, had finally been sanctioned in March of this year for the lapses in their security standards that contributed to the 2008 breach:
On January 20th of this year, Heartland Payment Systems (HPS) publicly disclosed a large-scale compromise involving account data from all card brands. In light of this event, Visa has taken the following actions to help protect the Visa system:
Removal from Visa’s List of Compliant Service Providers - Visa has removed Heartland from its online list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers. HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards. The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions.
System Participation - HPS is now in a probationary period, during which it is subject to a number of risk conditions including more stringent security assessments, monitoring and reporting. Subject to these conditions, Heartland will continue to serve as a processor in the Visa system.
The suspension was really in name only, as Heartland was allowed to continue business as usual while obtaining re-certification of their PCI compliance, something they would have been required to complete regardless of Visa’s (V) actions.
Compliance re-certification is required on a yearly basis anyway.
So here we are back at square one, with little improvement in security for an industry that can arguably be considered crucial to our national security, as well as our individual financial identities.
And the industry overall is no better off, as a weak economy yields meager revenues and ever tighter budgets for the IT Security professionals whose job it is to always do more with less.
The future of PCI DSS is at stake, yet the leadership required to secure its future and the much needed cooperation of all interested parties appears to have been tabled in favor of the status quo.
The biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will face in perpetuity, but instead from the fractured portrait of an industry in crisis and its inability to effectively manage itself.