Anthony is a researcher, analyst and freelance writer whoworked as a consultant to senior members of product development,secondary, and capital markets from the largest financial institutionsin the country during the height of the credit bubble. Anthony’s workis featured by leading Internet publishers including Reuters, TheChicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha,and ML-Implode.
He also is the official live blogger for the upcoming 2009 Sarbanes-Oxley Conference. For more information visit: ISR
Visa Puts Heartland on Probation Over Breach
By Anthony M. Freed, Information-Security-Resources.com Financial Editor
Heartland Payment Systems (HPY),one of the largest credit card processors in North America, is finallybeing called to the carpet for the apparent lapses in Payment CardIndustry Data Security Standards (PCI DSS) that contributed to the largest data breach of 2008, perhaps even the largest breach ever considering the full extent of the exposure has yet to be determined.
Called to the carpet sort of, anyway; the sanctions and guidance laid out by Visa (V) seem a little lackluster when weighed against the severity and duration of the breach.
Given that Visa is now considered themost likely of several candidates for inclusion in the Dow IndustrialAverage, taking up slack from soon to be sidelined Citigroup (C) and Bank of America, (BAC) it is not surprising that they do not want to call too much attention to the situation:
On January 20th of this year,Heartland Payment Systems (HPS) publicly disclosed a large-scalecompromise involving account data from all card brands. In light ofthis event, Visa has taken the following actions to help protect theVisa system:
CAMS Alerts - Between January 18thand February 4th Visa issued a series of Compromised Account ManagementSystem (CAMS) alerts (US-2009-046-IC) to financial institutions relatedto this compromise event. Providing this information can help financialinstitutions act quickly to minimize fraud on exposed card accounts.
It is worth noting here that Visa and MasterCard (MC) reported anomalies to Heartland in late October, about two and a half months before the CAMS alert was issued.
Data breaches in the financial industry always reignite the debate between those who want full and immediate disclosure, and those who would prefer to subdue the news. A lot seems to depend on your preferred usage of words like “quick” and “help”.
As for the sanctions Visa hasprescribed for Heartland, I believe it’s something akin to when DeanWormer put the Delta House on Double Secret Probation, or at leastthat’s how it reads:
Removal from Visa’s List ofCompliant Service Providers - Visa has removed Heartland from itsonline list of Payment Card Industry Data Security Standard (PCI DSS)compliant service providers. HPS has advised, however, that it isaggressively working on remediation and re-validation of its systems tocomply with PCI DSS standards. The company will be relisted once itrevalidates its PCI DSS compliance using a Qualified Security Assessorand meets other related compliance conditions.System Participation - HPS is now in a probationary period,during which it is subject to a number of risk conditions includingmore stringent security assessments, monitoring and reporting. Subjectto these conditions, Heartland will continue to serve as a processor inthe Visa system.
So Heartland is off of Visa’s Christmas card list for 2009, but they still get a fruitcake.
A breach of unknown scope and impact toconsumers, participating banks, their shareholders, merchants, theeconomy in general, the source of multiple class action lawsuits anduntold losses for years to come, and the big smack down is thatHeartland has to sit in the back of the bus?
Profits over protocols; some actuarymust have crunched the numbers, the underwriters drew the bottom line,and the executives decided to mush on. Damn the torpedo (holes).
And Heartland may not be the whole story.
There are multiple access points in thedata chain. Heartland may be where the malware disease did its worstdamage, but that does not guarantee that Heartland is also the point ofinfection.
And as far as being PCI DSS compliant, there has been some confusion as to what that exactly means for security assurance.
PCI DSS compliance is only a momentarymeasure. Think of it along the lines of a kitchen inspector who gives arestaurant the highest rating after inspection, that is no guaranteethe cook will wash his hands well next week, or that the mayonnaisewill never get left out.
That is why you will hear a CEO of a breached credit card processor plead “But we were PCI DSS compliant“ and simultaneously you will hear the PCI council (made up of the major payment card brands American Express (AXP), Discover Financial Services (DFS), JCB International, MasterCard Worldwide and Visa) exclaim that “No PCI compliant processor has ever been breached.”
Both of these statements can not be correct.
Also included in Visa’s belatedresponse to the Heartland breach is a fine to be levied against theparticipating banks - most of whom rightly consider themselves to bevictims of the breach as much as their customers are. This must be like when the mean DrillSergeant makes everyone march in the rain because one jerk made agoof. I guess the client banks are supposed to exert peer pressure onHeartland to mend their ways, or something:
Fines - In accordance with VisaOperating Regulations, fines will be assessed to Heartland’s sponsoringbanks. Such fines are part of the program Visa uses to assurecompliance with system rules. Ongoing compliance with PCI DSS helpskeep the system more secure for all participants.
I fail to see the purpose of penalizingbanks that send their processing business to Heartland unless it can beshown that the bank somehow contributed to the breach in a materialmanner, otherwise this is just more fodder for the lawyers in the formof damages to recover through litigation.
Another mystery contained in Visa’sannouncement is the requirement that all fraud related to the Heartlandbreach has to be reported by May 19th. This is ridiculous, as it couldbe a year or two before all fraud cases can be identified and thensubstantiated; requiring this to happen in the next two months isunrealistic, if not unreasonable:
Account Data Compromise Recovery -Visa has determined that this event qualifies for the Account DataCompromise Recovery (ADCR) program. Subject to its terms, this programprovides issuers the ability to recover a portion of their lossesrelated to accounts that are determined to be the subject of a breach,by assessing acquirers for the ADCR financial liability. An acquirer’sADCR financial liability is determined based on a percentage ofmagnetic stripe-read counterfeit fraud and specified operating expenseliability amounts. Issuers will have until May 19th to report fraudlosses related to this event to Visa. Until this reporting windowcloses, specific recovery amounts cannot be determined. Visa willprovide clients with additional information as it becomes available.
Finally we get to that last paragraph,and I can say there is something there that I actually agree with: ThePCI DSS is a decent start. What really needs to be fixed is how PCIDSS is implemented and maintained throughout the data access chain:
This recent compromise underscoresthe importance of all parties maintaining ongoing compliance with thePayment Card Industry Data Security Standard. These standards continueto serve as a robust and critical foundation to protect cardholder dataand, when implemented properly, have proven to be highly effective inpreventing and mitigating the impact of data compromises. Compromiseevents are a reminder of the importance for all parties in the paymentsystem to maintain ongoing vigilance when it comes to protectingcardholder data. Each stakeholder in the Visa system has a criticalrole in our collective fight against the criminals that perpetuate cardfraud.
So in summation, Heartland (and others)may be full of holes, and Visa belatedly recommends business as usualuntil such time as the holes can be found and filled.
On to the next breach.
Anthony is a researcher,analyst and freelance writer who worked as a consultant to seniormembers of product development, secondary, and capital markets from thelargest financial institutions in the country during the height of thecredit bubble. Anthony’s work is featured by leading Internetpublishers including Reuters, The Chicago Sun-Times, Business Week’sBusiness Exchange, Seeking Alpha, and ML-Implode.
The Author gives permission to link, post, distribute,or reference this article for any lawful purpose, provided attributionis made to the author and to Information-Security-Resources.com
Related Articles by Anthony Freeman:
- Visa Puts Heartland on Probation Over Security Breach
- Heartland Payment Systems Under Informal SEC Inquiry - Another Red Flag on Feb 27, 2009 about HPY
- Heartland Systems: How Did the Information Breach Happen? on Feb 15, 2009 about HPY
- Plan Orange: Killing the Mortgage Crisis Quickly on Feb 03, 2009
- Heartland Reps Answer Tough Questions on Feb 02, 2009 about HPY
- Did Heartland Payment Systems' CEO Make Insider Trades? on Jan 30, 2009 about HPY
- Heartland Payment Systems: Breach Bad As Tylenol Poisonings? on Jan 26, 2009 about HPY
