Re: Letter from Visa regarding Heartland

["Jamie C. Pole" <jpole () jcpa com>]

Well, Heartland (as well as the other large processors) is required to  
have a sponsor bank in order to handle Visa and MasterCard transactions.

Heartland's primary sponsor is KeyBank, but I understand that there  
are also several other smaller sponsors.

Basically, it's like the mafia.  I bring someone to you and vouch for  
them.  Later, when the person I vouched for turns out to be a rat, I  
get whacked for bringing in a rat.  You'll probably whack the rat as  
well (at some point), but I get it first, because I brought the rat  
through the front door.

Same basic proposition.  Heartland screws up, and the sponsor banks  
get fined.  Heartland will still be sued in civil court but the  
sponsor banks get the contractual fines from Visa.

It's a vicious circle.

Jamie


On Mar 13, 2009, at 3:27 PM, security curmudgeon wrote:

> [We received a copy of the letter Visa sent to customers regarding the
>   Heartland breach and subsequent actions. Could anyone explain what  
> "fines
>   will be assessed to Heartland's sponsoring banks" means exactly?  
> That
>   wording implies that Heartland will not be fined themselves? -  
> jericho]
>
>
> ---------- Forwarded message ----------
>
> From: Visa Inc. [mailto:noreply () visaclientcommunications com]
> Sent: Thursday, March 12, 2009 3:30 PM
> Subject: Update on Heartland Payment Systems Compromise
>
>
> Risk Management | Data Compromise
> March 12, 2009
>
> Update on Heartland Payment Systems Compromise
> Dear $person
>
> At Visa, we believe data security is critical to the long-term  
> success of
> our respective businesses. As such, I am writing to update you on  
> recent
> activity related to the security of our collective payment system.
>
> On January 20th of this year, Heartland Payment Systems (HPS) publicly
> disclosed a large-scale compromise involving account data from all  
> card
> brands. In light of this event, Visa has taken the following actions  
> to
> help protect the Visa system:
>
> CAMS Alerts - Between January 18th and February 4th Visa issued a  
> series
> of Compromised Account Management System (CAMS) alerts (US-2009-046- 
> IC) to
> financial institutions related to this compromise event. Providing  
> this
> information can help financial institutions act quickly to minimize  
> fraud
> on exposed card accounts.
>
> Removal from Visa's List of Compliant Service Providers - Visa has  
> removed
> Heartland from its online list of Payment Card Industry Data Security
> Standard (PCI DSS) compliant service providers. HPS has advised,  
> however,
> that it is aggressively working on remediation and re-validation of  
> its
> systems to comply with PCI DSS standards. The company will be relisted
> once it revalidates its PCI DSS compliance using a Qualified Security
> Assessor and meets other related compliance conditions.
>
> System Participation - HPS is now in a probationary period, during  
> which
> it is subject to a number of risk conditions including more stringent
> security assessments, monitoring and reporting. Subject to these
> conditions, Heartland will continue to serve as a processor in the  
> Visa
> system.
>
> Fines - In accordance with Visa Operating Regulations, fines will be
> assessed to Heartland's sponsoring banks. Such fines are part of the
> program Visa uses to assure compliance with system rules. Ongoing
> compliance with PCI DSS helps keep the system more secure for all
> participants.
>
> Account Data Compromise Recovery - Visa has determined that this event
> qualifies for the Account Data Compromise Recovery (ADCR) program.  
> Subject
> to its terms, this program provides issuers the ability to recover a
> portion of their losses related to accounts that are determined to  
> be the
> subject of a breach, by assessing acquirers for the ADCR financial
> liability. An acquirer's ADCR financial liability is determined  
> based on a
> percentage of magnetic stripe-read counterfeit fraud and specified
> operating expense liability amounts. Issuers will have until May  
> 19th to
> report fraud losses related to this event to Visa. Until this  
> reporting
> window closes, specific recovery amounts cannot be determined. Visa  
> will
> provide clients with additional information as it becomes available.  
> This
> recent compromise underscores the importance of all parties  
> maintaining
> ongoing compliance with the Payment Card Industry Data Security  
> Standard.
> These standards continue to serve as a robust and critical  
> foundation to
> protect cardholder data and, when implemented properly, have proven  
> to be
> highly effective in preventing and mitigating the impact of data
> compromises. Compromise events are a reminder of the importance for  
> all
> parties in the payment system to maintain ongoing vigilance when it  
> comes
> to protecting cardholder data. Each stakeholder in the Visa system  
> has a
> critical role in our collective fight against the criminals that
> perpetuate card fraud.
>
> Please contact your normal Visa representative with any questions on  
> this
> matter.
>
> Sincerely,
>
>
>
> Ellen Richey
> Chief Enterprise Risk Officer
> Visa Inc.
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss () datalossdb org)
>
> CREDANT Technologies, a leader in data security, offers advanced  
> data encryption solutions.
> Protect sensitive data on desktops, laptops, smartphones and USB  
> sticks transparently
> across your enterprise to ensure regulatory compliance.
> http://www.credant.com/stopdataloss

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss