It’s a well known saying — when it rains, it pours. If that’s the case then Heartland and RBS WorldPay are in the midst of a thunderstorm. In November 2008, RBS WorldPay’s computer systems were hacked, compromising the personal information of 1.5 million cardholders and netting the criminals a tidy $9 million. Then, in January, the financial industry suffered another blow. Heartland Payment Systems admitted that malicious software had been found in its processing systems, risking the personal data of more than 100 million card transactions. Both companies probably couldn’t have imagined the situation could get any worse, but the news that both have been removed from Visa’s list of Payment Card Industry Data Security Standard (PCI DSS) could prove the final nail in the coffin.
Heartland is under siege from all sides. Currently undergoing investigation from the US Department of Justice, the SEC, the Federal Trade Commission, the Office of the Controller of Currency, as well as several states, the beleaguered company also faces sixteen class-action law suits filed by ticked-off consumers, and four lawsuits filed by financial institutions. Bad news for Heartland and bad news for the financial sector, where consumer confidence is already at rock-bottom as a result of the crippling state of the global economy. The loss of PCI DSS accreditation is just as concerning, and Heartland and RBS WorldPay will certainly remember the demise of CardSystems Solutions in similar circumstances back in 2005.
The payments firm processed transactions for MasterCard and Visa, before misplacing more than 40 million card accounts. As a consequence of the breach, CardSystems was dropped by all major credit companies, eventually filing for bankruptcy in 2007 and closing its doors a year later. There’s frightening similarity between the two cases. Both CardSystems and Heartlands were payment processors, both suffered hacking attacks, and both, at the time of the crime, were the largest breaches ever. Negative publicity from the breach has already resulted in increased merchant attrition, and Heartland could also lose the sponsorship of its primary banks and stock sales are plummeting. Interestingly enough, Heartland CEO Robert Carr sold his shares around the time that the breach was discovered, fuelling speculation that he was attempting to cash in before prices fell.
Heartland and RBS WorldPay are now considered to be ‘on probation’, and both will undergo PCI recertification and assessment for undisclosed fines as a result of the data breach. Heartland gained PCI accreditation in April 2008, and RBS WorldPay received compliance two months later in June. Neither company held PCI certification for longer than a year. But the fact that both were PCI DSS compliant providers when they suffered security breaches has raised questions over the validity of the PCI system, with companies only needing to shape up when the annual assessment comes around.
It’s fair to say that PCI DSS has copped quite a bit of criticism from industry experts over the Heartland debacle. Many have been opposed to the standard from the outset, and data losses in organisations that is using PCI DSS as the framework for their security practices is certainly going to leave people questioning the purpose and overall benefits of the system. Of course, any standard that encourages better, safe practice is a good thing, but the company must also be equally committed to the ongoing impetus upon protection of data, a focus that sadly is lacking in many banking and e-finance institutions. Until data protection is higher on the agenda, there will always be a greater risk. The real question is: Had Heartland not been ‘protected’ by PCI DSS, could the effects have been even worse?
Tom Tainton — Smartcard & Identity News