May 3, 2009
By Anthony M. Freed, Information-Security-Resources.com Financial Editor
Heartland Payment Systems (HPY) announced via email that they have once again attained a PCI compliant status following less than two months of suspension.
Heartland’s removal from the list of compliant payment processors had followed revelations that the company had suffered what may have been the largest data breach of payment card information to date, although details of the incident and similar events at RBS WorldPay (RBS) have not been made available due to ongoing investigations.
PCI DSS is the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security best practices throughout the industry.
Heartland’s email:
HEARTLAND PAYMENT SYSTEMS RETURNS TO VISA’S LIST OF PCI DSS VALIDATED SERVICE PROVIDERS
Princeton, N.J. (May 1, 2009) – Following the completion of its annual Payment Card Industry Data Security Standard (PCI DSS) assessment, Heartland Payment Systems has successfully validated its compliance with PCI DSS. As such, Heartland is returning to Visa’s List of PCI DSS Validated Service Providers. According to Visa, Heartland will appear on the list – which can be found at www.visa.com/cisp — on Monday, May 4.
Heartland Payment Systems (HPY), one of the largest credit card processors in North America had finally been sanctioned in March of this year for the lapses in their security standards that contributed to the 2008 breach:
On January 20th of this year, Heartland Payment Systems (HPS) publicly disclosed a large-scale compromise involving account data from all card brands. In light of this event, Visa has taken the following actions to help protect the Visa system:
Removal from Visa’s List of Compliant Service Providers – Visa has removed Heartland from its online list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers. HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards. The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions.
System Participation – HPS is now in a probationary period, during which it is subject to a number of risk conditions including more stringent security assessments, monitoring and reporting. Subject to these conditions, Heartland will continue to serve as a processor in the Visa system.
Given that the suspension was really in name only, Heartland was allowed to continue business as usual while obtaining re-certification of their PCI compliance, which is something they would have been required to complete regardless of Visa’s (V) actions, as compliance re-certification is required on a yearly basis anyway.
So here we are back a square one, with little improvement in security for an industry that can arguably be considered to be crucial to our national security, as well as our individual financial identities. And the industry itself is no better off, as a weak economy yields meager revenues and ever tighter budgets for the IT Security professionals whose job it is to try to always do more with less.
The future of PCI DSS is at stake, yet the leadership to required to secure its future and the much needed cooperation of all interested parties appears to have been tabled in favor of the status quo.
I again offer my opinion that the biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will certainly face in perpetuity, but instead comes from the fractured portrait of an industry in crisis, and its inability to effectively manage itself.
Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.
The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
Leave a Comment » | 
ALT A, ARS, American, Analysis, Assets, Auction Rate Securities, Bailout, Bank, Bankruptcy, Banks, Barack Obama, Breaking News, Business, Business News, Buyers, Buyout, CDO, Capital, Close, Commercial Real Estate, Common Stock, Companies, Company, Comparison, Confidentiality, Constitution, Countrywide, Cramer, Debt, Democrat, Democrats, Derivitives, Developments, Discussion, Economy, Europe, FDIC, FHLMC, FNMA, Fair marlet Value, Fannie, Fannie Mae, Fascism, Federal Reserve, Finance, Financial Times, Firesale, Foreclosure, Freddie, Freddie Mac, Freedom, Funny, GSE, Greenspan, HUD, Heartland Payment Systems, Henry Paulson, Home, Housing Crash, Housing Doom, Housing Market, Implode-O-Meter, Inflation, Interventions, Investment, Issue Price, Life, Liz Clayman, Loss, Losses, MBS, Market Crash, Markets, Meltdown, Mortgage, Mortgage Backed Securities, Mr. Mortgage, Naked Capitalism, New York, News, Not Funny, Option Arms, POA, Pay Option Arms, Performance, Politics, Poll, Portfolio, Private Equity, Quarter, Quarterly, REO, Real Estate, Real Estate Owned, Real Estate Portfolio, Refinance, Regulation, Rense.com, Republican, Republicans, Rights, Robert O. Carr, S&P, SIV, Sale, Scams, Securities, Short Sale, Shortfalls, Sources, Sovereign Wealth, Stocks, Subprime, Takeover, Trades, Trading, Update, Value, Visa, Volume, Vote, Worth, big, big Picture, conspiracy, crash, decline, earnings, fourth amendment, graphs, illegal Seizure, shares, talks | 
Permalink
Posted by Anthony M. Freed
April 1, 2009
By Anthony M. Freed, Information-Security-Resources.com Financial Editor
PCI DSS, the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security, may well have entered it’s death throes Tuesday, as evidenced by revealing testimony during the House of Representative’s Committee on Homeland Security hearings.
Why the dire prognosis?
Anyone who has been following the cascade of security failures plaguing the payment card industry in the last year, and punctuated by the still-shrouded breaches at RBS WorldPay (RBS) and Heartland Payment systems (HPY), has to acknowledge that there are major problems with security that need to be addressed pronto.
But the greatest threat to the survival of PCI DSS (Payment Card Industry Data Security Standard) may not be the ever-evolving tactics of the criminal hackers intent on a “big score,” but instead the dysfunctional nature of the relationships between the very parties the standards are meant to serve.
The squabbling and finger pointing displayed during the first quarter of 2009 within the industry itself has resulted in nothing less than a public relations nightmare in my opinion, as major card brands, processors, and merchants each seek to deflect responsibility onto the others.
Someone on the sidelines, intently watching the game, would have to wonder what the heck these people are thinking.
First, RBS WorldPay and Heartland maintain that because they had been PCI DSS compliant at some point before their systems were breached, they can essentially shrug off any any culpability for the security lapses, offering only the caveat that they are doing the best they can with what they have.
Almost simultaneously, the PCI Security Standards Council was staunchly asserting that no company that suffers a breach can be considered PCI compliant – regardless of their being listed as in good standing with the council at the time of the breach. From Securosis.com:
Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he’s never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.
Visa (V) echoed this sentiment in an interview with BankInfoSecurity.com:
“We’ve never seen anyone who was breached that was PCI compliant,” Phillips says without specifically naming – or excluding — Heartland. “The breaches that we have seen have involved a key area of non-compliance.”
To add to the confusion, Visa issued statements that RBS WorldPay and Heartland had been belatedly removed from the PCI Compliant list, in what has been widely considered to be merely legal maneuvering to effectively shield themselves from culpability while blocking the only alibi the processors have.
“It’s all legal maneuvering by Visa,” says Gartner security analyst Avivah Litan in an interview with ComputerWorld.com. “This is PCI enforcement as usual: They’re making the rules up as they go.”
This was apparently seen as an opportunity by some Heartland competitors to move in on some of Heartland’s clients, with reports of merchants being warned by other processors that they may be violating PCI compliance by continuing to do business with Heartland, and prompting Heartland to respond with threats of lawsuits.
Then, during Tuesday’s Congressional hearings, representatives of the merchant community, long thought to bear the brunt of security protocol “cram-downs” by the issuing brands, threw their hat into the ring in what now amounts to an industry free-for-all. From Forbes.com:
Michael Jones, the chief information officer at the retail company Michael’s, testified that the PCI rules were “expensive to implement, confusing to comply with and ultimately subjective both in their interpretation and their enforcement.”
Now bear in mind, all of these factions are supposed on the same team, and all are supposed to be working in unison to continue the evolution of ever more secure systems to thwart the increasingly resourceful criminal hackers.
Is it any wonder that the future of PCI DSS is in question?
And what could possibly be worse than an entire industry at each others throats in the midst of the biggest security problems they have faced to date?
Well, they could make enough of a brouhaha that they attract the attention of lawmakers, as they have succeeded in doing; lawmakers who have regularly demonstrated their intention of late to force industries of all stripes to cede to their “better judgment.” Also from Forbes.com:
“I’m concerned that as long as the payment card industry is writing the standards, we’ll never see a more secure system,” (Rep. Bennie) Thompson said. “We in Congress must consider whether we can continue to rely on industry-created standards, particularly if they’re inadequate to address the ongoing threat.”
This means that the PCI Security Council, keepers of the PCI DSS flame, have their work cut out for them if they want to remain the chief regulating body for PCI security. Maybe they left these issues to simmer on the back burner for too long, and maybe someone will be looking for a scapegoat.
It’s all uphill now.
During a phone call in early March with Lib de Veyra, VP of emerging technologies at JCB International and recently named Chair of the PCI Security Council, I expressed my concern over the state of relations between the various elements that make up the payment card industry.
I likened the public displays of policy incongruity and the tendency for all interested parties to respond to news of security lapses by rushing to throw each other under the bus, to that of the image of a snake swallowing its own tail.
I expressed concern by offering my opinion that the biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will certainly face in perpetuity, but instead comes from the fractured portrait of an industry in crisis, and its inability to effectively manage itself.
That was one long month ago, and opportunity to avert the creation of a new regulatory body to oversee PCI may have already come and gone, which is most unfortunate everyone concerned.
PCI DSS is not broken, but the collective will to make it an effective standard for security just might be.
Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.
The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
1 Comment | 
ALT A, ARS, Add new tag, Amendment, American, Analysis, Anonymous, Assets, Auction Rate Securities, August 18, B of A, Bailout, Bank, Bank Of America, Bankruptcy, Banks, Barclays, Bear Stearns, BlackRock, Breaking News, Business, Business News, Buyers, Buyout, CDO, Capital, Close, Commercial Real Estate, Common Stock, Companies, Company, Comparison, Confidentiality, Countrywide, Cramer, DTCC, Dead Cat Bounce, Debt, Democrats, Derivitives, Developments, Dick Fuld, Discussion, Downey Savings and Loan FORM 10-Q, Economy, Europe, FDIC, FHLMC, FNMA, Fair marlet Value, Fannie, Fannie Mae, Fascism, Federal Reserve, Finance, Financial Times, Firesale, Foreclosure, Freddie, Freddie Mac, Freedom, Funny, GSE, Greenspan, HUD, Home, Housing Crash, Housing Doom, Housing Market, Implode-O-Meter, Inflation, Interventions, Investment, Issue Price, JP Morgan, Jamie Dimon, Journal, Lehman, Lehman Brothers, Lehman Brothers Holdings, Life, Loss, Losses, MBS, Market Crash, Markets, McCain, Meltdown, Merrill, Merrill Lynch, Mortgage, Mortgage Backed Securities, Mozilo, Mr. Mortgage, Neuberger & Berman, New York, News, Not Funny, Obama, Option Arms, POA, Pay Option Arms, Performance, Politics, Poll, Portfolio, Private Equity, Quarter, Quarterly, REO, Real Estate, Real Estate Owned, Real Estate Portfolio, Refinance, Regulation, Republicans, Reuters, Rights, S&P, SIV, Sale, Sarah Palin, Scams, Scott Wilson, Securities, Short Sale, Shortfalls, Sources, Sovereign Wealth, Stocks, Subprime, Takeover, The Street, Trades, Trading, UK, Update, Value, Volume, Vote, WAMU. Washington Mutual, WSJ. FDIC, WaMu, Washington Mutual, Worth, big Picture, crash, decline, earnings, graphs, shares, talks | Tagged: Add new tag, ALT A, Amendment, American, Analysis, Anonymous, ARS, Assets, Auction Rate Securities, August 18, B of A, Bailout, Bank, Bank Of America, Bankruptcy, Banks, Barclays, Bear Stearns, big Picture, BlackRock, breach, Breaking News, Business, Business News, Buyers, Buyout, Capital, CDO, Close, Commercial Real Estate, Common Stock, Companies, Company, Comparison, Confidentiality, Countrywide, Cramer, crash, Dead Cat Bounce, Debt, decline, Democrats, Derivitives, Developments, Dick Fuld, Discussion, Downey Savings and Loan FORM 10-Q, DTCC, earnings, Economy, Europe, Fair marlet Value, Fannie, Fannie Mae, Fascism, FDIC, Federal Reserve, FHLMC, Finance, Financial Times, Firesale, FNMA, Foreclosure, Freddie, Freddie Mac, Freedom, Funny, graphs, Greenspan, GSE, hackers, Heartland Payment Systems, Home, Housing Crash, Housing Doom, Housing Market, HUD, Implode-O-Meter, Inflation, Interventions, Investment, Issue Price, Jamie Dimon, Journal, JP Morgan, Lehman, Lehman Brothers, Lehman Brothers Holdings, Life, Loss, Losses, Market Crash, Markets, MBS, McCain, Meltdown, Merrill, Merrill Lynch, Mortgage, Mortgage Backed Securities, Mozilo, Mr. Mortgage, Neuberger & Berman, New York, News, Not Funny, Obama, Option Arms, Pay Option Arms, pci dss, Performance, POA, Politics, Poll, Portfolio, Private Equity, Quarter, Quarterly, rbs worldpay, Real Estate, Real Estate Owned, Real Estate Portfolio, Refinance, Regulation, REO, Republicans, Reuters, Rights, S&P, Sale, Sarah Palin, Scams, Scott Wilson, Securities, shares, Short Sale, Shortfalls, SIV, Sources, Sovereign Wealth, Stocks, Subprime, Takeover, talks, The Street, Trades, Trading, UK, Update, Value, Visa, Volume, Vote, WaMu, WAMU. Washington Mutual, Washington Mutual, Worth, WSJ. FDIC | 
Permalink
Posted by Anthony M. Freed
