Letter from Visa regarding Heartland

[security curmudgeon <jericho () attrition org>]

[We received a copy of the letter Visa sent to customers regarding the
   Heartland breach and subsequent actions. Could anyone explain what "fines
   will be assessed to Heartland's sponsoring banks" means exactly? That
   wording implies that Heartland will not be fined themselves? - jericho]


---------- Forwarded message ----------

From: Visa Inc. [mailto:noreply () visaclientcommunications com]
Sent: Thursday, March 12, 2009 3:30 PM
Subject: Update on Heartland Payment Systems Compromise


Risk Management | Data Compromise
March 12, 2009

Update on Heartland Payment Systems Compromise
Dear $person

At Visa, we believe data security is critical to the long-term success of 
our respective businesses. As such, I am writing to update you on recent 
activity related to the security of our collective payment system.

On January 20th of this year, Heartland Payment Systems (HPS) publicly 
disclosed a large-scale compromise involving account data from all card 
brands. In light of this event, Visa has taken the following actions to 
help protect the Visa system:

CAMS Alerts - Between January 18th and February 4th Visa issued a series 
of Compromised Account Management System (CAMS) alerts (US-2009-046-IC) to 
financial institutions related to this compromise event. Providing this 
information can help financial institutions act quickly to minimize fraud 
on exposed card accounts.

Removal from Visa's List of Compliant Service Providers - Visa has removed 
Heartland from its online list of Payment Card Industry Data Security 
Standard (PCI DSS) compliant service providers. HPS has advised, however, 
that it is aggressively working on remediation and re-validation of its 
systems to comply with PCI DSS standards. The company will be relisted 
once it revalidates its PCI DSS compliance using a Qualified Security 
Assessor and meets other related compliance conditions.

System Participation - HPS is now in a probationary period, during which 
it is subject to a number of risk conditions including more stringent 
security assessments, monitoring and reporting. Subject to these 
conditions, Heartland will continue to serve as a processor in the Visa 
system.

Fines - In accordance with Visa Operating Regulations, fines will be 
assessed to Heartland's sponsoring banks. Such fines are part of the 
program Visa uses to assure compliance with system rules. Ongoing 
compliance with PCI DSS helps keep the system more secure for all 
participants.

Account Data Compromise Recovery - Visa has determined that this event 
qualifies for the Account Data Compromise Recovery (ADCR) program. Subject 
to its terms, this program provides issuers the ability to recover a 
portion of their losses related to accounts that are determined to be the 
subject of a breach, by assessing acquirers for the ADCR financial 
liability. An acquirer's ADCR financial liability is determined based on a 
percentage of magnetic stripe-read counterfeit fraud and specified 
operating expense liability amounts. Issuers will have until May 19th to 
report fraud losses related to this event to Visa. Until this reporting 
window closes, specific recovery amounts cannot be determined. Visa will 
provide clients with additional information as it becomes available. This 
recent compromise underscores the importance of all parties maintaining 
ongoing compliance with the Payment Card Industry Data Security Standard. 
These standards continue to serve as a robust and critical foundation to 
protect cardholder data and, when implemented properly, have proven to be 
highly effective in preventing and mitigating the impact of data 
compromises. Compromise events are a reminder of the importance for all 
parties in the payment system to maintain ongoing vigilance when it comes 
to protecting cardholder data. Each stakeholder in the Visa system has a 
critical role in our collective fight against the criminals that 
perpetuate card fraud.

Please contact your normal Visa representative with any questions on this 
matter.

Sincerely,



Ellen Richey
Chief Enterprise Risk Officer
Visa Inc.


_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss