March 2009


Visa Condemns Hacked Payment Processors

Visa Condemns Hacked Payment Processors - PCI Compliance Checklist

It’s a well known saying — when it rains, it pours. If that’s the case then Heartland and RBS WorldPay are in the midst of a thunderstorm. In November 2008, RBS WorldPay’s computer systems were hacked, compromising the personal information of 1.5 million cardholders and netting the criminals a tidy $9 million. Then, in January, the financial industry suffered another blow. Heartland Payment Systems admitted that malicious software had been found in its processing systems, risking the personal data of more than 100 million card transactions. Both companies probably couldn’t have imagined the situation could get any worse, but the news that both have been removed from Visa’s list of Payment Card Industry Data Security Standard (PCI DSS) could prove the final nail in the coffin.

Heartland is under siege from all sides. Currently undergoing investigation from the US Department of Justice, the SEC, the Federal Trade Commission, the Office of the Controller of Currency, as well as several states, the beleaguered company also faces sixteen class-action law suits filed by ticked-off consumers, and four lawsuits filed by financial institutions. Bad news for Heartland and bad news for the financial sector, where consumer confidence is already at rock-bottom as a result of the crippling state of the global economy. The loss of PCI DSS accreditation is just as concerning, and Heartland and RBS WorldPay will certainly remember the demise of CardSystems Solutions in similar circumstances back in 2005.

The payments firm processed transactions for MasterCard and Visa, before misplacing more than 40 million card accounts. As a consequence of the breach, CardSystems was dropped by all major credit companies, eventually filing for bankruptcy in 2007 and closing its doors a year later. There’s frightening similarity between the two cases. Both CardSystems and Heartlands were payment processors, both suffered hacking attacks, and both, at the time of the crime, were the largest breaches ever. Negative publicity from the breach has already resulted in increased merchant attrition, and Heartland could also lose the sponsorship of its primary banks and stock sales are plummeting. Interestingly enough, Heartland CEO Robert Carr sold his shares around the time that the breach was discovered, fuelling speculation that he was attempting to cash in before prices fell.

Heartland and RBS WorldPay are now considered to be ‘on probation’, and both will undergo PCI recertification and assessment for undisclosed fines as a result of the data breach. Heartland gained PCI accreditation in April 2008, and RBS WorldPay received compliance two months later in June. Neither company held PCI certification for longer than a year. But the fact that both were PCI DSS compliant providers when they suffered security breaches has raised questions over the validity of the PCI system, with companies only needing to shape up when the annual assessment comes around.

It’s fair to say that PCI DSS has copped quite a bit of criticism from industry experts over the Heartland debacle. Many have been opposed to the standard from the outset, and data losses in organisations that is using PCI DSS as the framework for their security practices is certainly going to leave people questioning the purpose and overall benefits of the system. Of course, any standard that encourages better, safe practice is a good thing, but the company must also be equally committed to the ongoing impetus upon protection of data, a focus that sadly is lacking in many banking and e-finance institutions. Until data protection is higher on the agenda, there will always be a greater risk. The real question is: Had Heartland not been ‘protected’ by PCI DSS, could the effects have been even worse?

Advertise Here

Email: info@smartcard.co.uk

Tom Tainton — Smartcard & Identity News





Whitepapers

19/05/2019 Headlines

Belfast Council Launches its Own Digital Currency

The authority has worked alongside Israeli tech firm Colu to create Belfast Coin, a virtual currency that will launch across the Northern Irish capital later th.....Read More

Android Pioneer HTC Stages Retreat from China

HTC is pulling its smartphones from two of China's largest online marketplaces, raising concerns about the brand's future.

The firm was the first to sell.....Read More

eBay Could Start Accepting "Virtual Currencies," Leaked Pics Suggest

If true, the eBay integration could open the floodgates for mainstream adoption of digital currencies. eBay currently has more than 180 million registered users.....Read More

Bank of England Calls for 'Super Shield' Against Cyber Attacks

Britain may need to copy the United States in building a "super shield" against catastrophic cyber attacks or major IT glitches that could cripple the finance i.....Read More

Lawsuit Accusing Apple of Unfairly Dominating Mobile App Sales Will Proceed

The U.S. Supreme Court, in a narrow 5-4 decision written by Justice Brett Kavanaugh, ruled that a consumer lawsuit challenging Apple Inc.'s dominance of mobile .....Read More

Cryptocurrency Exchange Cryptopia Halts Trading and Announces it is in the Process of Liquidation

Cryptopia, a cryptocurrency exchange headquartered in New Zealand, has halted trading and announced that it is now in liquidation.

In January, the exchan.....Read More


Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication