Heartland Payment Systems (HPY), one of the largest credit card processors in North America, is being called to the carpet for the lapses in Payment Card Industry Data Security Standards (PCI DSS) that contributed to the largest data breach of 2008, and perhaps even the largest breach ever.
Called to the carpet sort of, anyway; the sanctions and guidance laid out by Visa (V) seem a little lackluster when weighed against the severity and duration of the breach.
Visa is now considered the most likely of several candidates for inclusion in the Dow Industrial Average, taking up slack from soon to be sidelined Citigroup (C) and Bank of America, (BAC), so they do not want to call too much attention to the situation:
On January 20th of this year, Heartland Payment Systems (HPS) publicly disclosed a large-scale compromise involving account data from all card brands. In light of this event, Visa has taken the following actions to help protect the Visa system:
CAMS Alerts - Between January 18th and February 4th Visa issued a series of Compromised Account Management System (CAMS) alerts (US-2009-046-IC) to financial institutions related to this compromise event. Providing this information can help financial institutions act quickly to minimize fraud on exposed card accounts.
It is worth noting here that Visa and MasterCard (MC) reported anomalies to Heartland in late October, about two and a half months before the CAMS alert was issued.
Data breaches in the financial industry tend to reignite the debate between those who want full and immediate disclosure, and those who would prefer to sooth consumer concerns.
A lot seems to depend on the preferred usage of words like “quick” and “help”.
As for the sanctions Visa has prescribed for Heartland, it’s something akin to when the Dean put the Delta House on double secret probation, but with less intent:
Removal from Visa’s List of Compliant Service Providers - Visa has removed Heartland from its online list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers. HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards. The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions.
System Participation - HPS is now in a probationary period, during which it is subject to a number of risk conditions including more stringent security assessments, monitoring and reporting. Subject to these conditions, Heartland will continue to serve as a processor in the Visa system.
A breach of unknown scope and impact to consumers, participating banks, their shareholders, merchants, the economy in general, which is the source of multiple class action lawsuits and untold losses for years to come, and Heartland only consequence was a steep decline in stock price.
And Heartland may not be the whole story.
There are multiple access points in the data chain. Heartland may be where the malware disease did its worst damage, but that does not guarantee that Heartland is also the point of infection.
And as far as being PCI DSS compliant, there has been some confusion as to what that exactly means for security assurance.
PCI DSS compliance is only a momentary measure. Think of it along the lines of a kitchen inspector who gives a restaurant the highest rating after inspection, that is no guarantee the mayonnaise will never get left out over night.
That is why you will hear the CEO of a breached credit card processor plead that they were PCI DSS compliant, and simultaneously you will hear the PCI council exclaim that no PCI compliant processor has ever been breached.
Both of these statements can not be correct, but they are both true.
Included in Visa’s belated response to the Heartland breach is a fine to be levied against the sponsoring banks:
Fines - In accordance with Visa Operating Regulations, fines will be assessed to Heartland’s sponsoring banks. Such fines are part of the program Visa uses to assure compliance with system rules. Ongoing compliance with PCI DSS helps keep the system more secure for all participants.
Visa’s announcement ibcludes the requirement that all fraud related to the Heartland breach has to be reported by May 19th.
This is ridiculous, as it could be a year or two before all fraud cases can be identified and then substantiated; requiring this to happen in the next two months is unrealistic, if not unreasonable:
Account Data Compromise Recovery - Visa has determined that this event qualifies for the Account Data Compromise Recovery (ADCR) program. Subject to its terms, this program provides issuers the ability to recover a portion of their losses related to accounts that are determined to be the subject of a breach, by assessing acquirers for the ADCR financial liability. An acquirer’s ADCR financial liability is determined based on a percentage of magnetic stripe-read counterfeit fraud and specified operating expense liability amounts. Issuers will have until May 19th to report fraud losses related to this event to Visa. Until this reporting window closes, specific recovery amounts cannot be determined. Visa will provide clients with additional information as it becomes available.
Finally we get to that last paragraph, and I can say there is something there that I actually agree with: The PCI DSS is a decent start.
What really needs to be fixed is how PCI DSS is implemented and maintained throughout the data access chain:
This recent compromise underscores the importance of all parties maintaining ongoing compliance with the Payment Card Industry Data Security Standard. These standards continue to serve as a robust and critical foundation to protect cardholder data and, when implemented properly, have proven to be highly effective in preventing and mitigating the impact of data compromises. Compromise events are a reminder of the importance for all parties in the payment system to maintain ongoing vigilance when it comes to protecting cardholder data. Each stakeholder in the Visa system has a critical role in our collective fight against the criminals that perpetuate card fraud.
Heartland (and others) may be full of holes, and Visa belatedly recommends business as usual until such time as the holes can be found and filled.
On to the next breach.