Visa pulls Heartland and RBS WorldPay from PCI DSS compliance list

Visa pulls Heartland and RBS WorldPay from PCI DSS compliance list

In the wake of revelations about major data breaches, Heartland Payments Systems and RBS WorldPay have been removed from Visa's list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers.

Heartland revealed in January that malicious software in its processing system had been found, potentially compromising the card data of millions of people.

RBS WorldPay had its computer system improperly accessed in November, with the personal information of 1.5 million pre-paid cardholders compromised. The data is believed to have been used in a global ATM heist that netted crooks around $9 million.

PCI DSS is a set of requirements developed by American Express, Discover, JCB, MasterCard and Visa in a bid to improve payment account data security. Service providers are required to submit to an annual on-site assessment in order to be validated.

Visa has now removed both firms from its list of PCI DSS compliant providers but says they are "actively working on revalidation" using a qualified security assessor. Heartland and RBS say they hope to be recertified within months.

Gartner analyst Avivah Litan told UK techwire the Register that merchants aren't allowed to do business with non-compliant processors, putting Heartland and RBS WorldPay customers in a difficult position.

The fact that Heartland and RBS WorldPay were on Visa's list of PCI DSS compliant service providers when they were breached has also raised questions over the effectiveness of the system, with firms only needing to be in line with the rules at the time of their assessment.

Comments: (5)

A Finextra member
A Finextra member 17 March, 2009, 15:59Be the first to give this comment the thumbs up 0 likes

I think I have asked the question before, but I'll ask it again ... where did the PINs come from?  Undoubtably, $9 million is a lot of money to extract from ATMs around the world, but how can it be done without the PINs?  The only way of obtaining PINs, as far as I am aware, is by shoulder surfing, using video cameras to act as surrogate shoulder surfers, or by tweaking POS equipment to steal the PIN as it is keyed.  As PINs are present only at the terminal and, in the case of online PIN, encrypted in the authorisation request, these are the only places they could be harvested.  It doesn't seem likely that the crims were shoulder surfing individual cardholders and then collecting the card details from blagged authorisation and settlement messages - that looks too much like hard work.  If it really was a $9 million scam, the only possibility I can think of is that the (online PIN) authorisation messages were compromised, along with the PIN encryption keys, or someone, somewhere, somehow, has cracked the cryptography!  

PCI:DSS, or as we used to say, "good practice", is simply a list of sensible things to do - it was "invented" because some transaction processing wizzkids wouldn't recognise good practice if it was standing in front of them with a big "good practice" stick in one hand, a "good practice" notebook and pen in the other, and was wearing a tee-shirt proclaiming in big letters: "I am good practice practitioner".  PCI:DSS was mandated because the transaction processing world were in the habit of leaving the gate open; PCI:DSS might now be closing the gate, but it doesn't look like the lock works particularly well. 

So, the transaction and cardholder data has been compromised.  That's clearly not good, and it's certainly not "good practice", but the question about the PINs remains, and questions relating to encrypted PINs ought to be considerably more concerning than the headline grabbing breach in security that allowed access to the data in the first place.

By some means, it seems that the crims have got hold of $9 million worth of PINs.  Why is no one concerned???  And, can anyone tell me how they did it?

A Finextra member
A Finextra member 17 March, 2009, 21:40Be the first to give this comment the thumbs up 0 likes

Dave, you are assuming that to use a card you need a pin.  This isn't the case.  Any CNP transactions e.g. internet purchases will not require a pin.


A Finextra member
A Finextra member 17 March, 2009, 22:46Be the first to give this comment the thumbs up 0 likes I can only assume that visa is desperate to not have PCI and their card processing methodologies lose all credibility. It hasn't really protected anyone so far has it? If so who? Their whole approach just leads to tears as far a I can see. Expensive and unreliable. Merchants just want to sell stuff. Just because you slap a dreamy standard on something doesn't mean it will be possible to comply, or that even compliance will make any difference.
Adam Nybäck
Adam Nybäck - Anyro - Stockholm 18 March, 2009, 05:20Be the first to give this comment the thumbs up 0 likes

Steve, the article refers to a "global ATM heist", not internet purchases.

I agree with David. This is very disturbing. Having the PINs encrypted at all time, in environments like this, has been a requirement long before PCI DSS came around.

A Finextra member
A Finextra member 18 March, 2009, 16:43Be the first to give this comment the thumbs up 0 likes

Thanks Adam.

Steve, it says it was an ATM scam, which means PINs.  What I don't understand is where did the PINs come from.  Also, something else I don't understand: if the scam involved multiple copies of cards, the crims couldn't have extracted more per day than the account withdrawal limit.  

This whole story makes no sense.  Please, someone tell me how it was done, that I might sleep easily.