Re: Letter from Visa regarding Heartland

[Kenton Hoover <kenton_hoover () symantec com>]

Fines are always assessed to the bank(s) that the service provider has a
relationship with. Whether those fines are passed on is a contractual issue
between the bank and the service provider.


On 2009/03/13 12:27 -0700, "security curmudgeon" <jericho () attrition org>
wrote:

> [We received a copy of the letter Visa sent to customers regarding the
>    Heartland breach and subsequent actions. Could anyone explain what "fines
>    will be assessed to Heartland's sponsoring banks" means exactly? That
>    wording implies that Heartland will not be fined themselves? - jericho]
>
>
> ---------- Forwarded message ----------
>
> From: Visa Inc. [mailto:noreply () visaclientcommunications com]
> Sent: Thursday, March 12, 2009 3:30 PM
> Subject: Update on Heartland Payment Systems Compromise
>
>
> Risk Management | Data Compromise
> March 12, 2009
>
> Update on Heartland Payment Systems Compromise
> Dear $person
>
> At Visa, we believe data security is critical to the long-term success of
> our respective businesses. As such, I am writing to update you on recent
> activity related to the security of our collective payment system.
>
> On January 20th of this year, Heartland Payment Systems (HPS) publicly
> disclosed a large-scale compromise involving account data from all card
> brands. In light of this event, Visa has taken the following actions to
> help protect the Visa system:
>
> CAMS Alerts - Between January 18th and February 4th Visa issued a series
> of Compromised Account Management System (CAMS) alerts (US-2009-046-IC) to
> financial institutions related to this compromise event. Providing this
> information can help financial institutions act quickly to minimize fraud
> on exposed card accounts.
>
> Removal from Visa's List of Compliant Service Providers - Visa has removed
> Heartland from its online list of Payment Card Industry Data Security
> Standard (PCI DSS) compliant service providers. HPS has advised, however,
> that it is aggressively working on remediation and re-validation of its
> systems to comply with PCI DSS standards. The company will be relisted
> once it revalidates its PCI DSS compliance using a Qualified Security
> Assessor and meets other related compliance conditions.
>
> System Participation - HPS is now in a probationary period, during which
> it is subject to a number of risk conditions including more stringent
> security assessments, monitoring and reporting. Subject to these
> conditions, Heartland will continue to serve as a processor in the Visa
> system.
>
> Fines - In accordance with Visa Operating Regulations, fines will be
> assessed to Heartland's sponsoring banks. Such fines are part of the
> program Visa uses to assure compliance with system rules. Ongoing
> compliance with PCI DSS helps keep the system more secure for all
> participants.
>
> Account Data Compromise Recovery - Visa has determined that this event
> qualifies for the Account Data Compromise Recovery (ADCR) program. Subject
> to its terms, this program provides issuers the ability to recover a
> portion of their losses related to accounts that are determined to be the
> subject of a breach, by assessing acquirers for the ADCR financial
> liability. An acquirer's ADCR financial liability is determined based on a
> percentage of magnetic stripe-read counterfeit fraud and specified
> operating expense liability amounts. Issuers will have until May 19th to
> report fraud losses related to this event to Visa. Until this reporting
> window closes, specific recovery amounts cannot be determined. Visa will
> provide clients with additional information as it becomes available. This
> recent compromise underscores the importance of all parties maintaining
> ongoing compliance with the Payment Card Industry Data Security Standard.
> These standards continue to serve as a robust and critical foundation to
> protect cardholder data and, when implemented properly, have proven to be
> highly effective in preventing and mitigating the impact of data
> compromises. Compromise events are a reminder of the importance for all
> parties in the payment system to maintain ongoing vigilance when it comes
> to protecting cardholder data. Each stakeholder in the Visa system has a
> critical role in our collective fight against the criminals that
> perpetuate card fraud.
>
> Please contact your normal Visa representative with any questions on this
> matter.
>
> Sincerely,
>
>
>
> Ellen Richey
> Chief Enterprise Risk Officer
> Visa Inc.
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss () datalossdb org)
>
> CREDANT Technologies, a leader in data security, offers advanced data
> encryption solutions.
> Protect sensitive data on desktops, laptops, smartphones and USB sticks
> transparently 
> across your enterprise to ensure regulatory compliance.
> http://www.credant.com/stopdataloss

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss