RBS Gets an OK on PCI, But Is It Back in Visa’s Good Graces?

RBS WorldPay Inc., the other big merchant acquirer besides Heartland Payment Systems Inc. to report a major data breach in recent months, this week announced that it has attained validated compliance with the Payment Card Industry data-security standard, or PCI. But Atlanta-based RBS WorldPay didn't say anything in its news release about if or when it would reappear on Visa Inc.'s widely watched list of PCI-compliant processors. The company is not on the current list posted on Visa's risk-management site for merchants. Typically, an acquirer sends its annual report of validated PCI compliance to Visa for review. An RBS spokesperson did not return a call and e-mail from Digital Transactions News, and Visa spokesperson had no comment. After their breaches, Visa declared RBS and Heartland out of compliance with PCI and removed them from its list of validated processors. The network, however, allowed them to continue submitting Visa card transactions into the VisaNet network (Digital Transactions News, March 14). Heartland attained validated compliance April 30 and recently regained listing. RBS WorldPay first reported in December that a breach of its computer system may have compromised personal information on about 1.5 million cardholders, including the Social Security numbers of more than 1 million consumers. About six weeks later, news broke of rapid-fire ATM thefts by fraudsters who had cloned and then manipulated payroll card data stolen in the RBS WorldPay breach. The fraud ring used that data to make 100 bogus cards, and then apparently withdrew about $9 million from 130 ATMs located around the world in just 30 minutes last Nov. 8 (Digital Transactions News, Feb. 4). While Princeton, N.J.-based Heartland hasn't revealed the size of its breach yet, in other ways it has been much more front-and-center than RBS WorldPay about security matters. Heartland is making a high-profile effort to improve security by trying to persuade the card industry to adopt end-to-end data encryption in the transaction process (Digital Transactions News, April 30). But RBS WorldPay has said very little about its breach over the past five months. One reason might be that the company is owned by Britain's Royal Bank of Scotland Group plc, and banks are well-versed about disclosure laws?and how to evade them in any legal way, speculates Avivah Litan, a technology and security analyst with Stamford, Conn.-based consulting firm Gartner Inc. “Because RBS WorldPay is owned by a bank, I guess I would just assume RBS has craftier lawyers than Heartland,” she says. One issue Litan says has been raised by the RBS WorldPay and Heartland breaches?and others she says that haven't been publicly disclosed?involves the responsibilities of the so-called qualified security assessors (QSAs) that do PCI assessments for processors and merchants. Assessors typically structure their contracts so that they bear little or no liability if a client is breached, she says. Visa's list of PCI-compliant processors can be found at .