Vista removes the two payment processors from its list of DSS certified providers

Mar 16, 2009 08:41 GMT  ·  By

Following serious security breaches and data theft incidents at Heartland Payment Systems and RBS WorldPay, Vista has removed the two processors from its list (PDF) of providers compliant with the payment industry's security standards, PCI DSS. According to industry experts, this leaves its hundreds of customers in a tough position and susceptible to fines.

RBS WorldPay offers payment-processing solutions that cover credit, debit, Electronic Bank Transfers, gift cards, customer loyalty cards, checks, ATM, and tailored solutions for retail, restaurant, petroleum, convenience stores, grocery, hospitality, transport, and cardholders not present in these sectors. On 23 December 2008, the company announced that, at the beginning of November, unidentified parties had illegally obtained access to its computer systems and potentially compromised the personal information of 1.5 million customers.

RBS also noted that 100 payroll cards had been fraudulently used and had, subsequently, been disabled. It was later revealed that these cards had been employed in one of the most complex and well-coordinated fraud schemes to have ever been instrumented. Over 130 different ATM machines in 49 cities worldwide were hit in a 30-minute period, the crooks successfully withdrawing a whooping $9 million.

Heartland Payment Systems processes payments for over 250,000 mostly small and mid-size businesses and merchants in the U.S. and is considered to be the sixth-largest payment processor in the country. On 20 January 2009, the company announced that, during an internal audit prompted by a Visa warning, it had discovered that transaction data passing through its network had been intercepted and a significant number of credit cards had been compromised.

Financial fraud experts criticized the timing chosen by both companies to make these incidents public, just before Christmas and on the Inauguration Day, respectively. After carefully considering the results of the investigation, Visa has decided that the two companies can no longer be considered in compliance with the Data Security Standard (DSS) established by the Payment Card Industry Security Council.

"Retailers and other companies are not allowed to do business with processors that are not PCI compliant, so this puts all of Heartland's customers and all of RBS's customers out of compliance," Gartner analyst Avivah Litan comments, according to The Register. Companies that are processing a large number of transactions are required to be audited once every year by a qualified security assessor (QSA).

"Visa will consider relisting both organizations following their submissions of their PCI DSS reports on compliance," Visa has announced in a statement. According to SCMagazine, both companies have confirmed that they are in the process of recertification. Heartland has noted that it is currently undergoing the audit for 2009 and expects to be assessed as compliant until May, while RBS WorldPay is confident it will obtain the certification by April.