In the wake of revelations about major data breaches, Heartland Payments Systems and RBS WorldPay have been removed from Visa's list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers.
Heartland revealed in January that malicious software in its processing system had been found, potentially compromising the card data of millions of people.
RBS WorldPay had its computer system improperly accessed in November, with the personal information of 1.5 million pre-paid cardholders compromised. The data is believed to have been used in a global ATM heist that netted crooks around $9 million.
PCI DSS is a set of requirements developed by American Express, Discover, JCB, MasterCard and Visa in a bid to improve payment account data security. Service providers are required to submit to an annual on-site assessment in order to be validated.
Visa has now removed both firms from its list of PCI DSS compliant providers but says they are "actively working on revalidation" using a qualified security assessor. Heartland and RBS say they hope to be recertified within months.
Gartner analyst Avivah Litan told UK techwire the Register that merchants aren't allowed to do business with non-compliant processors, putting Heartland and RBS WorldPay customers in a difficult position.
The fact that Heartland and RBS WorldPay were on Visa's list of PCI DSS compliant service providers when they were breached has also raised questions over the effectiveness of the system, with firms only needing to be in line with the rules at the time of their assessment.