Heartland Taking Names And Kicking POS, With Visa’s Help

Written by Evan Schuman
March 24th, 2009

When Visa sent an E-mail to retailers telling them it was suspending Heartland, the note was explicit in saying that “Heartland will continue to serve as a processor in the Visa system.” But that didn’t stop rivals from recruiting Heartland customers by saying that they could face fines or PCI certification problems if they used them.

Visa issued a statement “clarifying” their original position, despite the fact that their original position was quite clear. Gartner issued a brief report Monday (March 23) saying that “this statement clarifies much of the confusion that arose after Heartland and RBS WorldPay were removed from Visa’s list of PCI-certified service providers. Visa had to stand by its long-standing policy, but its delisting decision had raised questions about whether the processors’ clients could continue to do business with them.”

That’s the part where I get lost. What was so confusing about Visa’s original statement that “Heartland will continue to serve as a processor in the Visa system”? Did people think that Visa would tell retailers that a vendor “will continue to serve as a processor in the Visa system” and then turn around and fine—or decertify—them for doing so?

Some of the explanation behind this comes from Heartland itself, which added some clarifications of its own on its site in an area written for merchants. “You may have been approached by Heartland’s competitors making false claims such as: ‘You could be fined because you use Heartland’ or ‘You will not be PCI compliant if you use Heartland.’ Through a series of cease and desist letters, Heartland has informed competitors that their untrue and misleading claims are baseless and unlawful. Heartland intends to initiate legal action against them if they do not immediately stop making these claims.”

What’s this? A breached processor actively defending itself? Rivals are not the only ones to feel Heartland’s ire. Last Thursday (March 19), a software security company called Cloakware issued a news release about five security holes that it wanted to flag to the world. This wasn’t exactly a lot of insightful surprising stuff (the top item on their list was “Using Vendor-Supplied Default Passwords,” followed by “unsecured access to cardholder data”). But what caught our eye was a reference near the end of the statement that said, “Heartland Payment Systems recently announced that tens of millions of credit and debit card transactions were compromised, signaling the worst breach in the Payment Card Industry history.”

Funny, I hadn’t recalled seeing any such statement from Heartland and I somehow think I would have remembered that one.


4 Comments | Read Heartland Taking Names And Kicking POS, With Visa’s Help

  1. Tom Mahoney Says:


    I certainly don’t approve of advertising using Heartland’s unfortunate position but you, or rather Heartland’s competitors, raise an interesting point.

    Merchants are required to be compliant. Being compliant requires using a compliant processor. Heartland is not, at least for now, compliant. Therefore Heartland’s merchants are not compliant.

    Yes? No?

  2. Evan Schuman Says:

    Editor’s Note: The gray area here is Visa’s use of the word “probation” and Visa’s definition. It means that someone is off the PCI Compliant list, but it also means explicitly that retailers and still use them and be considered compliant. That probationed entity has to jump through a lot of testing hoops–and is put on notice that they need to fix everything quickly or they’re out–but they are still qualified to accept transactions.
    But regardless of how anyone might feel about this probation mode, Visa is within its rights to create it and to define it however it wants. Given that Visa–from the beginning–was explicit about what it meant, I have to side with Heartland on this one and say that the rivals (this time) were out-of-line. I don’t have to agree with Visa’s move (personally, I would have argued that if they wanted to have an impact, they should have cleanly removed them from the list. That would have sent a clear signal) to respect it and to argue that the industry has an obligation to abide by it.

  3. PCI Guy Says:

    Considering all of the close scrutiny Heartland has now been subject to by VISA personnel, FBI, Secret Service, and Heartland’s own staff and security consultants, their systems are now probably far more secure than most. So why on Earth did Visa decide to make a public spectacle of “suspending” Heartland? What benefit could possibly been achieved by doing that? Either VISA considers Heartland’s systems secure enough to be safe for processing transactions, or not. If they are not secure enough then they should have been REMOVED from the list, not “placed on probation”.

  4. Steve Sommers Says:

    A VISA represenative speaking at the ETA show clarified this today. The merchant is responsible from his network and down stream — meaning any POS, hardware or software that they host. Merchants must use “approved” gateways and processors but if the breach happens up stream — meaning the gateway or processor — then the merchant is not liable. Heartland is still an “approved” vendor (albeit on probation) so compliant merchants using Heartland are compliant.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.