Visa Puts Heartland on Probation Over Security Breach

Includes: AXP, DFS, GPN, MA, V
by: Anthony M. Freed

Heartland Payment Systems (HPY), one of the largest credit card processors in North America, is finally being called to the carpet for the apparent lapses in Payment Card Industry Data Security Standards (PCI DSS) that contributed to the largest data breach of 2008, perhaps even the largest breach ever considering the full extent of the exposure has yet to be determined.

Called to the carpet sort of, anyway; the sanctions and guidance laid out by Visa (NYSE:V) seem a little lackluster when weighed against the severity and duration of the breach.

Given that Visa is now considered the most likely of several candidates for inclusion in the Dow Industrial Average, taking up slack from soon to be sidelined Citigroup (NYSE:C) and Bank of America, (NYSE:BAC) it is not surprising that they do not want to call too much attention to the situation:

On January 20th of this year, Heartland Payment Systems (HPS) publicly disclosed a large-scale compromise involving account data from all card brands. In light of this event, Visa has taken the following actions to help protect the Visa system:

CAMS Alerts - Between January 18th and February 4th Visa issued a series of Compromised Account Management System (CAMS) alerts (US-2009-046-IC) to financial institutions related to this compromise event. Providing this information can help financial institutions act quickly to minimize fraud on exposed card accounts.

It is worth noting here that Visa and MasterCard (NYSE:MA) reported anomalies to Heartland in late October, about two and a half months before the CAMS alert was issued.

Data breaches in the financial industry always reignite the debate between those who want full and immediate disclosure, and those who would prefer to subdue the news.

A lot seems to depend on your preferred usage of words like “quick” and “help”.

As for the sanctions Visa has prescribed for Heartland, I believe it’s something akin to when Dean Wormer put the Delta House on Double Secret Probation, or at least that’s how it reads:

Removal from Visa’s List of Compliant Service Providers - Visa has removed Heartland from its online list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers. HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards. The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions.

System Participation - HPS is now in a probationary period, during which it is subject to a number of risk conditions including more stringent security assessments, monitoring and reporting. Subject to these conditions, Heartland will continue to serve as a processor in the Visa system.

So Heartland is off of Visa’s Christmas card list for 2009, but they still get a fruitcake.

A breach of unknown scope and impact to consumers, participating banks, their shareholders, merchants, the economy in general, the source of multiple class action lawsuits and untold losses for years to come, and the big smack down is that Heartland has to sit in the back of the bus?

Profits over protocols; some actuary must have crunched the numbers, the underwriters drew the bottom line, and the executives decided to mush on. Damn the torpedo (holes).

And Heartland may not be the whole story.

There are multiple access points in the data chain. Heartland may be where the malware disease did its worst damage, but that does not guarantee that Heartland is also the point of infection.

And as far as being PCI DSS compliant, there has been some confusion as to what that exactly means for security assurance.

PCI DSS compliance is only a momentary measure. Think of it along the lines of a kitchen inspector who gives a restaurant the highest rating after inspection, that is no guarantee the cook will wash his hands well next week, or that the mayonnaise will never get left out.

That is why you will hear a CEO of a breached credit card processor plead “But we were PCI DSS compliant“ and simultaneously you will hear the PCI council (made up of the major payment card brands American Express (NYSE:AXP), Discover Financial Services (NYSE:DFS), JCB International, MasterCard Worldwide and Visa) exclaim that “No PCI compliant processor has ever been breached.”

Both of these statements can not be correct.

Also included in Visa’s belated response to the Heartland breach is a fine to be levied against the participating banks - most of whom rightly consider themselves to be victims of the breach as much as their customers are.

This must be like when the mean Drill Sergeant makes everyone march in the rain because one jerk made a goof. I guess the client banks are supposed to exert peer pressure on Heartland to mend their ways, or something:

Fines - In accordance with Visa Operating Regulations, fines will be assessed to Heartland’s sponsoring banks. Such fines are part of the program Visa uses to assure compliance with system rules. Ongoing compliance with PCI DSS helps keep the system more secure for all participants.

I fail to see the purpose of penalizing banks that send their processing business to Heartland unless it can be shown that the bank somehow contributed to the breach in a material manner, otherwise this is just more fodder for the lawyers in the form of damages to recover through litigation.

Another mystery contained in Visa’s announcement is the requirement that all fraud related to the Heartland breach has to be reported by May 19th. This is ridiculous, as it could be a year or two before all fraud cases can be identified and then substantiated; requiring this to happen in the next two months is unrealistic, if not unreasonable:

Account Data Compromise Recovery - Visa has determined that this event qualifies for the Account Data Compromise Recovery (ADCR) program. Subject to its terms, this program provides issuers the ability to recover a portion of their losses related to accounts that are determined to be the subject of a breach, by assessing acquirers for the ADCR financial liability. An acquirer’s ADCR financial liability is determined based on a percentage of magnetic stripe-read counterfeit fraud and specified operating expense liability amounts. Issuers will have until May 19th to report fraud losses related to this event to Visa. Until this reporting window closes, specific recovery amounts cannot be determined. Visa will provide clients with additional information as it becomes available.

Finally we get to that last paragraph, and I can say there is something there that I actually agree with: The PCI DSS is a decent start. What really needs to be fixed is how PCI DSS is implemented and maintained throughout the data access chain:

This recent compromise underscores the importance of all parties maintaining ongoing compliance with the Payment Card Industry Data Security Standard. These standards continue to serve as a robust and critical foundation to protect cardholder data and, when implemented properly, have proven to be highly effective in preventing and mitigating the impact of data compromises. Compromise events are a reminder of the importance for all parties in the payment system to maintain ongoing vigilance when it comes to protecting cardholder data. Each stakeholder in the Visa system has a critical role in our collective fight against the criminals that perpetuate card fraud.

So in summation, Heartland (and others) may be full of holes, and Visa belatedly recommends business as usual until such time as the holes can be found and filled.

On to the next breach.

Disclosure: Long C.