Three processors breached, all claim to have been compliant (update 1)
Jaikumar Vijayan of Computerworld reports that merchants using Heartland Payment Systems and RBS WorldPay do not need to worry about fines or their own liability if they continue to use the payment processors. An analysis by Avivah Litan of Gartner, Inc. that is based on a statement by Visa provides additional clarification.
For its part, Heartland updated its breach site this week to address some of the same issues. In a statement by CEO Robert O. Carr, the company says:
Please rest assured this action on Visa’s part has NO impact to you as a Heartland customer or prospect. At Heartland, we believe our system is secure, the intrusion has been contained and you are safe using us to process your transactions. Despite rumors to the contrary, you do not take on any additional risk or responsibility because you currently use a processor that is not included on the Visa list. Nor does Heartland’s temporary removal from the list impact your own PCI DSS status.
1. We are actively processing Visa transactions — as well as those of the other card brands. Statements that Heartland is disconnected from the processing system are false. In fact, with our new relationships with American Express® and Discover®, we are one of the few processors nationwide that now authorizes and settles transactions for all major card brands.
2. We are cooperating fully with Visa and other card brands to revalidate our PCI DSS compliance and believe that by no later than May 2009, we will be returned to the Visa list of PCI DSS compliant service providers.
3. We were certified as PCI DSS compliant for each of the past five years without any indication of major issues with any aspects of the PCI DSS regulations. Nothing significant was changed in our system in the short time between our latest certification in April 2008 and the onset of the intrusion into our payment processing system in May 2008.[….]
It keeps coming back to that, doesn’t it — that HPY and RBS both say that they were compliant at the time of the breaches, Visa says they weren’t, but has not revealed publicly precisely how both of these processors allegedly failed to be compliant at the time of their breaches.
In its coverage of the expanded probe into activities of “The Analyzer,” Kim Zetter of Threat Level reports that a third processor, Symmetrex, was also hacked last year:
A spokesman for Symmetrex, which was owned at the time of the hack by Britain-based Altair Financial Services, had no knowledge of the breach, but said Symmetrex processes about 500,000 debit transactions a month for prepaid payroll and gift cards and claimed the company was compliant with the PCI security standards that financial institutions say protect them from such intrusions. It’s not known if either company notified customers whose information was breached. There does not appear to be any public announcement about either intrusion.
In February, I had learned that Symmetrex had reported a breach to NYS last year that had never been reported in mainstream media. Although the breach report is not publicly available online, NYS’s logs indicate that the incident affected 13,885 individuals, 588 of whom were residents of NY. Symmetrex did not respond to a request from this site for clarification as to whether their report was related to Tenenbaum’s alleged confession and the incident now discussed by Zetter. But if it was, then that is three processors making the same claim about compliance. Symmetrex is not listed as a PCI DSS compliant provider on Visa’s most recent (March 23rd) list of approved providers, although it is listed as approved by MasterCard’s Site Data Protection Program as of its last review in January 2009.
In February, I sent an inquiry to the PCI Security Standards Council with some very simple questions about the standards and whether an entity can ever be considered to be compliant if the firewall fails to adequately protect card data. On March 5, I received an auto-reply that they would get back to me. I am still waiting for clarification.
Update 1: 8:22 am: Since the time of the original posting above, Heartland has seemingly replaced the letter quoted above with a letter dated March 23rd that cites Gartner’s analysis and also indicates that it has been sending cease and desist letters to competitors who may be trying to get new customers by suggesting that they will be subject to fines if they continue to use HPY.