On 19 March 2009, Visa issued a statement to Gartner indicating that merchants and other card-payment-accepting enterprises can continue to do business with the U.S. payment processors Heartland Payment Systems and RBS WorldPay without threat of fines from Visa. The two processors both recently suffered serious data security breaches, and Visa removed them from its list of Payment Card Industry (PCI) certified service providers (for more information about the Visa certification process, see http://usa.visa.com/merchants/risk_management/cisp_service_providers.html). In its new statement, Visa said that card acceptors will not be subject to noncompliance fine assessments if all other standing PCI Data Security Standard (DSS) validation requirements have been satisfied. These terms will remain valid as long as the two payment processors continue to work on revalidating their own PCI compliance status, which they expect to complete within weeks. Visa has not publicly stated what specific system-related activities drove the processors out of compliance after their original certification.

This statement clarifies much of the confusion that arose after Heartland and RBS WorldPay were removed from Visa's list of PCI-certified service providers. Visa has always emphasized the need for merchants to use PCI DSS-compliant service providers, which it lists publicly on its Web site, but the security breaches at the two processors placed the card brand in a difficult position. Visa had to stand by its long-standing policy, but its delisting decision had raised questions about whether the processors' clients could continue to do business with them. Visa clearly did not want to risk putting the processors out of business, partly because of the potentially enormous disruption to their hundreds of thousands of merchant customers.

The Visa delisting should nonetheless make it easier for the card brand to help card issuers recover financial losses they may have suffered as a result of the breaches from the processors. It should also make it easier for Visa to impose fines — probably $150,000 or more each — on the card processors. In general, these breaches, and the industry's response to them, show that the current PCI standard certification process alone is not enough to keep data secure.

• Merchants and other card-accepting enterprises using Heartland or RBS WorldPay services: Take no action, because the processors will likely be recertified soon.
• Visa and other card brands: Clarify PCI DSS enforcement policy from this point on and publicly disseminate enforcement policies and ongoing clarifications and refinements to these policies. Strengthen U.S. payment system security by instituting measures (for example, end-to-end card data encryption and stronger cardholder authentication) that go beyond PCI requirements.
• All parties that handle cardholder data: Focus on maintaining continuous cardholder data security, rather than on achieving PCI-compliant status.

• "Heartland Case Shows Stronger Card Security Is Still Needed” — A highly damaging data breach highlights the ongoing need for upgraded PCI security requirements and processes to protect against the most significant current threats. By Avivah Litan
• "2008 Data Breaches and Financial Crimes Scare Consumers Away” — A recent Gartner survey shows that concerns about fraud are driving significant changes in consumers' financial transaction behaviors. By Avivah Litan

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)