Friday, March 13, 2009

It's Official: Heartland Is NOT PCI Compliant (... Anymore)

A fun read here: "Visa Puts Heartland on Probation Over Security Breach"

Key points/questions/quotes:
  • "HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards." - AND then let them lapse into insecurity+non-compliance again? If not, why not? How do they plan to be sure?
  • "The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions." - OK, SAME QSA or a different one?
  • "So Heartland is off of Visa’s Christmas card list for 2009, but they still get a fruitcake." - OMG, I get it now: Heartland is "TOO BIG TO FAIL" :-)
  • "Fines - In accordance with Visa Operating Regulations, fines will be assessed to Heartland’s sponsoring banks." - Ah, fines finally! BTW, the definition of a "sponsoring bank" is here.
  • "This recent compromise underscores the importance of all parties maintaining ongoing compliance with the Payment Card Industry Data Security Standard." - to me this line is proof that "people in the know" now know that Hearland case is the case of them being validated PCI-OK (by a QSA of unknown degree of "anality") and then lapsing into insecurity AND non-compliance.
Possibly related posts:

Dr Anton Chuvakin