March 2009


Visa Condemns Hacked Payment Processors

Visa Condemns Hacked Payment Processors - PCI Compliance Checklist

It’s a well known saying — when it rains, it pours. If that’s the case then Heartland and RBS WorldPay are in the midst of a thunderstorm. In November 2008, RBS WorldPay’s computer systems were hacked, compromising the personal information of 1.5 million cardholders and netting the criminals a tidy $9 million. Then, in January, the financial industry suffered another blow. Heartland Payment Systems admitted that malicious software had been found in its processing systems, risking the personal data of more than 100 million card transactions. Both companies probably couldn’t have imagined the situation could get any worse, but the news that both have been removed from Visa’s list of Payment Card Industry Data Security Standard (PCI DSS) could prove the final nail in the coffin.

Heartland is under siege from all sides. Currently undergoing investigation from the US Department of Justice, the SEC, the Federal Trade Commission, the Office of the Controller of Currency, as well as several states, the beleaguered company also faces sixteen class-action law suits filed by ticked-off consumers, and four lawsuits filed by financial institutions. Bad news for Heartland and bad news for the financial sector, where consumer confidence is already at rock-bottom as a result of the crippling state of the global economy. The loss of PCI DSS accreditation is just as concerning, and Heartland and RBS WorldPay will certainly remember the demise of CardSystems Solutions in similar circumstances back in 2005.

The payments firm processed transactions for MasterCard and Visa, before misplacing more than 40 million card accounts. As a consequence of the breach, CardSystems was dropped by all major credit companies, eventually filing for bankruptcy in 2007 and closing its doors a year later. There’s frightening similarity between the two cases. Both CardSystems and Heartlands were payment processors, both suffered hacking attacks, and both, at the time of the crime, were the largest breaches ever. Negative publicity from the breach has already resulted in increased merchant attrition, and Heartland could also lose the sponsorship of its primary banks and stock sales are plummeting. Interestingly enough, Heartland CEO Robert Carr sold his shares around the time that the breach was discovered, fuelling speculation that he was attempting to cash in before prices fell.

Heartland and RBS WorldPay are now considered to be ‘on probation’, and both will undergo PCI recertification and assessment for undisclosed fines as a result of the data breach. Heartland gained PCI accreditation in April 2008, and RBS WorldPay received compliance two months later in June. Neither company held PCI certification for longer than a year. But the fact that both were PCI DSS compliant providers when they suffered security breaches has raised questions over the validity of the PCI system, with companies only needing to shape up when the annual assessment comes around.

It’s fair to say that PCI DSS has copped quite a bit of criticism from industry experts over the Heartland debacle. Many have been opposed to the standard from the outset, and data losses in organisations that is using PCI DSS as the framework for their security practices is certainly going to leave people questioning the purpose and overall benefits of the system. Of course, any standard that encourages better, safe practice is a good thing, but the company must also be equally committed to the ongoing impetus upon protection of data, a focus that sadly is lacking in many banking and e-finance institutions. Until data protection is higher on the agenda, there will always be a greater risk. The real question is: Had Heartland not been ‘protected’ by PCI DSS, could the effects have been even worse?

Advertise Here

Email: info@smartcard.co.uk

Tom Tainton — Smartcard & Identity News





Whitepapers

21/03/2019 Headlines

France Fines Google $57 Million for European Privacy Rule Breach

Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personali.....Read More

New Payment Services Laws Passed in Singapore

New payment services laws have been passed by Singapore's parliament in a move that will streamline existing laws while bringing many new fintech providers into.....Read More

Twitter Warns that Private Tweets were Public for Years

Private tweets sent by users of Twitter's Android app could have been exposed publicly for years.

Twitter said it had discovered a security flaw which me.....Read More

Exchange Loses Big over Airdrop Miscue

Computer glitches are never fun, but when they result in the loss of money, they can be completely debilitating. Coinnest, a cryptocurrency exchange out of Sout.....Read More

Name and Shame Firms with Poor Cyber Security, Government Told

The government should name and shame companies whose cyber security measures fail to protect consumers' data and firms should implement Active Cyber Defence, an.....Read More

Sirin Labs Opens First Blockchain Smartphone Store in London

Sirin Labs has opened the first blockchain smartphone store located in London. The intention is to attract crypto enthusiasts passionate for blockchain and dece.....Read More


Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication