Tuesday, March 17, 2009

On Heartland V

Sorry, but I cannot resist – here comes “On Heartland V.” Why did I break my promise?

This is why:

hland_drop

Source: DatalossDB

And this is why:  “Class Action Lawsuit on behalf of certain investor in Heartland Payment Systems over alleged violations of Federal Securities Laws” (here)

And this is why:  “Visa withdraws Heartland PCI compliance” (here) And “a little bird” (tm) brought this missing piece of info: their merchants are contractually obligated to do business with a PCI-compliant processor (please confirm or deny this rumor, if you have more info)

Overall, in light of the above I now think that Heartland might well end up being “CardSystems 2.0” and actually die. That will make “security doesn’t really matter” crowd … well… not matter :-) At least for a while.

Case closed? Security breaches actually … gasp! … matter for business.

Possibly Related Posts:

5 comments:

Rafal Los said...

@Anton - While I really do feel for the employees at HPS (much like I felt for the [mostly] innocent employees at many of the banks that have closed recently) I would like to see public hangings for management which allowed things like this to happen.

Now - it's entirely possible that this is simply a case of hackers vs. white-hats and hackers win... that happens; but I want an investigation that is *public* to determine cause... and IF the cause is determined to be anything other than "they did the best they could, but still got nailed" then management, from the CISO up, goes to the Federal Pen.... period.

Anonymous said...

@Anton, I am not as pessimistic as you seem to be on this. Visa did not revoke either processor's ability to process transactions; they only took them off the CISP list of compliant service providers. It could have been much worse. This is a black eye to be sure, but not a death sentence.

My guess is both will re-certify and get back in Visa's good graces soon. I also note that none of the other brands has taken any action. Therefore, I don't see any wholesale defection of merchants. Visa didn't go nuclear on them; they could have if the situation warranted, and it doesn't seem like it did.

Anonymous said...

We're just at the beginning of this incident. What we've seen so far is before the hammers have fallen. Visa will fine them. The other brands will follow suit as usual. Lawsuits are under way, which are usually much more damaging. FTC is investigating. SEC is informally investigating. Those are some huge hammers and the news for each won't be overshadowed by an inauguration day. Heartland is toast.

Anonymous said...

I believe the requirement for merchants to do business with PCI compliant service providers is so that when they pass along data they also pass along risk and liability. While you can argue that includes the processor, that depends on the contractual relationship. In most cases the processor has already passed this to the merchant - so it can become a bit circular.

Look at past breaches, the fines normally flow to the processor first and then the merchant. The question is who's in the front in the line of (legal) fire.

Anton Chuvakin said...

Well, I am not "pessimistic" either; the chances of it being "TJX 2.0" rather than "CardSystems 2.0" are pretty high indeed...

Dr Anton Chuvakin