The Latest Chapter In Heartland’s Alice In Wonderland PCI Journey

Written by Evan Schuman
May 4th, 2009

The back-and-forth compliance dance that is being forced upon Heartland Payment Systems took its latest journey through the PCI Looking Glass Friday (May 1), with Heartland declaring that it has now returned to Visa’s list of PCI DSS validated service providers (aka the list of providers that Visa heartily recommends today but will deny ever having heard if they’re breached tomorrow).

The journey began when Heartland was certified PCI compliant April 2008. A few months later, Heartland was severely breached and Visa began its revisionist history dance. Given a public stance that no PCI-compliant merchant or processor had ever been breached, Visa determined that Heartland therefore could not have been truly compliant in April 2008. On March 12, 2009, Visa removed Heartland from the compliant list.

But just in case someone might mistake this move as Visa actually caring about security, Visa stressed to retailers that everything was OK and that they were completely safe in using Heartland anyway. It wasn’t quite “ignore that man behind the curtain” but it was close. (I know that I’m mixing literary metaphors, with both Alice’s Adventures in Wonderland and The Wizard of Oz, but the circumstances make it hard to resist. At least I’m not casting Visa as the Cowardly Lion who makes a fierce sound but is ultimately gutless when pushed. Give me some credit for that.)

Heartland is now being certified again as being PCI compliant. Are these the same people that certified Heartland the first time? I withdraw. Such things are not polite to ask. So now the certification—which Visa says is terribly important, except when they say otherwise—is back on.

What should a retailer do with this information? Exactly what Visa had suggested: ignore it. The PCI program is a very good cause and should be applauded, but the very nature of security programs make the mechanisms of the point-in-time based-on-whatever-the-assessor-is-shown assessments not especially meaningful to outsiders.

To the retailer or the assessor, it could flag trouble spots, but a processor that is labeled PCI compliant very well may not be. (My colleague, Dave Taylor, last week brilliantly detailed why the PCI grading system doesn’t work.) That leaves retailers with the same due diligence process they’ve relied on for decades when evaluating security partners: Ask a ton of questions, talk with others in the community, make your best choice, have the lawyers carefully craft agreements and then watch everyone carefully.

But ultimately, there is no PCI safe harbor and there really never was. Using people on a list provides no guarantees, nor should it. In the meantime, it’s good to know that Visa has welcomed Heartland back to the list that they told people to not worry about. The Mad Hatter and the Cheshire Cat would have been proud.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.