Heartland Regains PCI Compliance Status

By Anthony M. Freed, Information-Security-Resources.com Financial Editor

Heartland Payment Systems (HPY) announced via email that they have once again attained a PCI compliant status following less than two months of suspension.

Heartland’s removal from the list of compliant payment processors had followed revelations that the company had suffered what may have been the largest data breach of payment card information to date, although details of the incident and similar events at RBS WorldPay (RBS) have not been made available due to ongoing investigations.

PCI DSS is the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security best practices throughout the industry.

Heartland’s email:


Princeton, N.J. (May 1, 2009) – Following the completion of its annual Payment Card Industry Data Security Standard (PCI DSS) assessment, Heartland Payment Systems has successfully validated its compliance with PCI DSS. As such, Heartland is returning to Visa’s List of PCI DSS Validated Service Providers. According to Visa, Heartland will appear on the list – which can be found at http://www.visa.com/cisp — on Monday, May 4.

Heartland Payment Systems (HPY), one of the largest credit card processors in North America had finally been sanctioned in March of this year for the lapses in their security standards that contributed to the 2008 breach:

On January 20th of this year, Heartland Payment Systems (HPS) publicly disclosed a large-scale compromise involving account data from all card brands. In light of this event, Visa has taken the following actions to help protect the Visa system:

Removal from Visa’s List of Compliant Service Providers – Visa has removed Heartland from its online list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers. HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards. The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions.

System Participation – HPS is now in a probationary period, during which it is subject to a number of risk conditions including more stringent security assessments, monitoring and reporting. Subject to these conditions, Heartland will continue to serve as a processor in the Visa system.

Given that the suspension was really in name only, Heartland was allowed to continue business as usual while obtaining re-certification of their PCI compliance, which is something they would have been required to complete regardless of Visa’s (V) actions, as compliance re-certification is required on a yearly basis anyway.

So here we are back a square one, with little improvement in security for an industry that can arguably be considered to be crucial to our national security, as well as our individual financial identities. And the industry itself is no better off, as a weak economy yields meager revenues and ever tighter budgets for the IT Security professionals whose job it is to try to always do more with less.

The future of PCI DSS is at stake, yet the leadership to required to secure its future and the much needed cooperation of all interested parties appears to have been tabled in favor of the status quo.

I again offer my opinion that the biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will certainly face in perpetuity, but instead comes from the fractured portrait of an industry in crisis, and its inability to effectively manage itself.

Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com


One Response to Heartland Regains PCI Compliance Status

  1. Great post.

    It’s ironic that security systems are often less secure than leisure industry systems.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: