Key points/questions/quotes:
- "HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards." - AND then let them lapse into insecurity+non-compliance again? If not, why not? How do they plan to be sure?
- "The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions." - OK, SAME QSA or a different one?
- "So Heartland is off of Visa’s Christmas card list for 2009, but they still get a fruitcake." - OMG, I get it now: Heartland is "TOO BIG TO FAIL" :-)
- "Fines - In accordance with Visa Operating Regulations, fines will be assessed to Heartland’s sponsoring banks." - Ah, fines finally! BTW, the definition of a "sponsoring bank" is here.
- "This recent compromise underscores the importance of all parties maintaining ongoing compliance with the Payment Card Industry Data Security Standard." - to me this line is proof that "people in the know" now know that Hearland case is the case of them being validated PCI-OK (by a QSA of unknown degree of "anality") and then lapsing into insecurity AND non-compliance.