In response to the recent data breaches by Heartland Payment Systems, Inc., ("HPS"), and RBS WorldPay, Inc., Visa has dropped them from its "PCI Compliant" list, but added that it would consider restoring the credit card processing companys’ status if they were recertified by a third-party auditor. Industry analysts, however, feel that the move by Visa is more about protecting itself than improving the security of payment card data. Garnter, Inc., analyst, Aviviah Litan told Computerworld.com on Monday, March 23, 2009, that Visa’s actions mean that merchants can’t use either payment processor if they themselves want to remain PCI compliant. Ms. Litan does not interpret Visa’s decison to be as restrictive as it may seem, but more so to give Visa the legal protection it may need to prevent HPS and RBS WorldPay from using PCI DSS compliance as a shield against breach-related lawsuits.
PCI DSS, or Payment Card Industry Data Security Standard, is technically not a law that was passed by any federal or state legislature, but instead is an outline of standards created by the major credit card companies (Visa, MasterCard, Discover, and AmEx) to prevent theft of credit and debit card data from retail systems. The standards, which went into effect in June, 2005, outline 12 broad security controls that retailers, online merchants, data processors, and other businesses must implement to protect cardholder data. Companies that fail to meet the standards may be subjected to fines and potentially could be barred from processing payment card transactions.
Therefore, Ms. Litan does bring up an extremely interesting issue – if payment processors, as is the case here, are required to comply with a 12 point safeguards standard that is mandated by Visa, then ultimately shouldn’t Visa be a named defendant if class action litigation is commenced? This kind of litigation issue would directly challenge the usefulness of being PCI compliance, because regardless of the ruling, the individual merchant, payment processor, etc., is basically being told that they are the ones who will be left holding the proverbial bag, should a breach of data occur. What Visa is failing to realize is that a large majority of merchants who have a Visa, MasterCard, or AmEx, sticker in their store window, do not have the infrastructure in place to ensure total security of credit card data – they are relying on the vendors for that. Meanwhile, the ones with the "deepest pockets" get to walk away from the scene of the crime with absolutely no liability afforded to them.
PCI DSS compliance, and other rules and regulations that are in place, are only as good as the enforcement mechanisms that are in place to ensure compliance. This continues to be why organizations are getting "stung" by data breaches on a daily basis. Many organizations look at the 12-point checklist for PCI compliance, and tick of each section as they perform each function – and "poof" they are compliant. However, data security/governance is more about a cultural attitude than a regulated attitude. All the laws in the world will not be of use, unless there are individuals "policing" the communities to ensure compliance. By "policing" I don’t mean some new executive branch needs to be created to monitor the Internet, but rather, each company should be charged with making data governance an integral part of their enterprise risk management strategy.
To read more about the Visa article, please click here: Visa Slaps Payment Processors Over Breaches, Defends PCI Rules