Heartland Taking Names And Kicking POS, With Visa’s Help
Written by Evan SchumanWhen Visa sent an E-mail to retailers telling them it was suspending Heartland, the note was explicit in saying that “Heartland will continue to serve as a processor in the Visa system.” But that didn’t stop rivals from recruiting Heartland customers by saying that they could face fines or PCI certification problems if they used them.
Visa issued a statement “clarifying” their original position, despite the fact that their original position was quite clear. Gartner issued a brief report Monday (March 23) saying that “this statement clarifies much of the confusion that arose after Heartland and RBS WorldPay were removed from Visa’s list of PCI-certified service providers. Visa had to stand by its long-standing policy, but its delisting decision had raised questions about whether the processors’ clients could continue to do business with them.”
That’s the part where I get lost. What was so confusing about Visa’s original statement that “Heartland will continue to serve as a processor in the Visa system”? Did people think that Visa would tell retailers that a vendor “will continue to serve as a processor in the Visa system” and then turn around and fine—or decertify—them for doing so?
Some of the explanation behind this comes from Heartland itself, which added some clarifications of its own on its site in an area written for merchants. “You may have been approached by Heartland’s competitors making false claims such as: ‘You could be fined because you use Heartland’ or ‘You will not be PCI compliant if you use Heartland.’ Through a series of cease and desist letters, Heartland has informed competitors that their untrue and misleading claims are baseless and unlawful. Heartland intends to initiate legal action against them if they do not immediately stop making these claims.”
What’s this? A breached processor actively defending itself? Rivals are not the only ones to feel Heartland’s ire. Last Thursday (March 19), a software security company called Cloakware issued a news release about five security holes that it wanted to flag to the world. This wasn’t exactly a lot of insightful surprising stuff (the top item on their list was “Using Vendor-Supplied Default Passwords,” followed by “unsecured access to cardholder data”). But what caught our eye was a reference near the end of the statement that said, “Heartland Payment Systems recently announced that tens of millions of credit and debit card transactions were compromised, signaling the worst breach in the Payment Card Industry history.”
Funny, I hadn’t recalled seeing any such statement from Heartland and I somehow think I would have remembered that one.
Pages: 1 2
-Dan Stiel
March 25th, 2009 at 7:04 am
Evan;
I certainly don’t approve of advertising using Heartland’s unfortunate position but you, or rather Heartland’s competitors, raise an interesting point.
Merchants are required to be compliant. Being compliant requires using a compliant processor. Heartland is not, at least for now, compliant. Therefore Heartland’s merchants are not compliant.
Yes? No?
March 25th, 2009 at 7:28 am
Editor’s Note: The gray area here is Visa’s use of the word “probation” and Visa’s definition. It means that someone is off the PCI Compliant list, but it also means explicitly that retailers and still use them and be considered compliant. That probationed entity has to jump through a lot of testing hoops–and is put on notice that they need to fix everything quickly or they’re out–but they are still qualified to accept transactions.
But regardless of how anyone might feel about this probation mode, Visa is within its rights to create it and to define it however it wants. Given that Visa–from the beginning–was explicit about what it meant, I have to side with Heartland on this one and say that the rivals (this time) were out-of-line. I don’t have to agree with Visa’s move (personally, I would have argued that if they wanted to have an impact, they should have cleanly removed them from the list. That would have sent a clear signal) to respect it and to argue that the industry has an obligation to abide by it.
March 31st, 2009 at 12:25 pm
Considering all of the close scrutiny Heartland has now been subject to by VISA personnel, FBI, Secret Service, and Heartland’s own staff and security consultants, their systems are now probably far more secure than most. So why on Earth did Visa decide to make a public spectacle of “suspending” Heartland? What benefit could possibly been achieved by doing that? Either VISA considers Heartland’s systems secure enough to be safe for processing transactions, or not. If they are not secure enough then they should have been REMOVED from the list, not “placed on probation”.
April 22nd, 2009 at 7:15 pm
A VISA represenative speaking at the ETA show clarified this today. The merchant is responsible from his network and down stream — meaning any POS, hardware or software that they host. Merchants must use “approved” gateways and processors but if the breach happens up stream — meaning the gateway or processor — then the merchant is not liable. Heartland is still an “approved” vendor (albeit on probation) so compliant merchants using Heartland are compliant.