BreachExchange mailing list archives
Re: Letter from Visa regarding Heartland
From: halsey () royalgroupservices com
Date: Fri, 13 Mar 2009 20:21:07 +0000
My understanding is this. VISA has a contract with the sponsoring bank, not Heartland. Therefore, VISA cannot fine Heartland directly. The sponsoring banks have contracts with Herartland that should allow them to pass these fines to Heartland. People hear "fines" and assume that VISA can just fine anyone involved in processing transactions. In reality, fines are levied by governments and what VISA calls "fines" are contractual penalties/assessments and can only assess against those in contract with them. This is the same situation for merchants that are "fined." Sent from my Verizon Wireless BlackBerry -----Original Message----- From: security curmudgeon <jericho () attrition org> Date: Fri, 13 Mar 2009 19:27:01 To: <dataloss () datalossdb org> Subject: [Dataloss] Letter from Visa regarding Heartland [We received a copy of the letter Visa sent to customers regarding the Heartland breach and subsequent actions. Could anyone explain what "fines will be assessed to Heartland's sponsoring banks" means exactly? That wording implies that Heartland will not be fined themselves? - jericho] ---------- Forwarded message ---------- From: Visa Inc. [mailto:noreply () visaclientcommunications com] Sent: Thursday, March 12, 2009 3:30 PM Subject: Update on Heartland Payment Systems Compromise Risk Management | Data Compromise March 12, 2009 Update on Heartland Payment Systems Compromise Dear $person At Visa, we believe data security is critical to the long-term success of our respective businesses. As such, I am writing to update you on recent activity related to the security of our collective payment system. On January 20th of this year, Heartland Payment Systems (HPS) publicly disclosed a large-scale compromise involving account data from all card brands. In light of this event, Visa has taken the following actions to help protect the Visa system: CAMS Alerts - Between January 18th and February 4th Visa issued a series of Compromised Account Management System (CAMS) alerts (US-2009-046-IC) to financial institutions related to this compromise event. Providing this information can help financial institutions act quickly to minimize fraud on exposed card accounts. Removal from Visa's List of Compliant Service Providers - Visa has removed Heartland from its online list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers. HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards. The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions. System Participation - HPS is now in a probationary period, during which it is subject to a number of risk conditions including more stringent security assessments, monitoring and reporting. Subject to these conditions, Heartland will continue to serve as a processor in the Visa system. Fines - In accordance with Visa Operating Regulations, fines will be assessed to Heartland's sponsoring banks. Such fines are part of the program Visa uses to assure compliance with system rules. Ongoing compliance with PCI DSS helps keep the system more secure for all participants. Account Data Compromise Recovery - Visa has determined that this event qualifies for the Account Data Compromise Recovery (ADCR) program. Subject to its terms, this program provides issuers the ability to recover a portion of their losses related to accounts that are determined to be the subject of a breach, by assessing acquirers for the ADCR financial liability. An acquirer's ADCR financial liability is determined based on a percentage of magnetic stripe-read counterfeit fraud and specified operating expense liability amounts. Issuers will have until May 19th to report fraud losses related to this event to Visa. Until this reporting window closes, specific recovery amounts cannot be determined. Visa will provide clients with additional information as it becomes available. This recent compromise underscores the importance of all parties maintaining ongoing compliance with the Payment Card Industry Data Security Standard. These standards continue to serve as a robust and critical foundation to protect cardholder data and, when implemented properly, have proven to be highly effective in preventing and mitigating the impact of data compromises. Compromise events are a reminder of the importance for all parties in the payment system to maintain ongoing vigilance when it comes to protecting cardholder data. Each stakeholder in the Visa system has a critical role in our collective fight against the criminals that perpetuate card fraud. Please contact your normal Visa representative with any questions on this matter. Sincerely, Ellen Richey Chief Enterprise Risk Officer Visa Inc. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently across your enterprise to ensure regulatory compliance. http://www.credant.com/stopdataloss
Current thread:
- Letter from Visa regarding Heartland security curmudgeon (Mar 13)
- Re: Letter from Visa regarding Heartland Kenton Hoover (Mar 13)
- Re: Letter from Visa regarding Heartland halsey (Mar 13)
- Re: Letter from Visa regarding Heartland Jamie C. Pole (Mar 13)
- Re: Letter from Visa regarding Heartland Jon Turner (Mar 16)
- <Possible follow-ups>
- Re: Letter from Visa regarding Heartland Dave Stampley (Mar 14)