A Gartner Inc. analyst is urging companies that do business with Heartland Payment Systems Inc. and RBS WorldPay Inc. not to switch to other payment processors just because of Visa Inc.'s decision this month to remove Heartland and RBS WorldPay from its list of service providers that are compliant with the PCI data security rules.
Visa dropped the two payment processors from its PCI-compliant list on March 12, in the wake of their recent disclosures that they had been hit by data breaches last year. The credit card company said it would "consider" putting Heartland and RBS WorldPay back on the list, but only after they are recertified by third-party assessors.
The action by Visa had raised some questions about whether merchants and other organizations could continue using the two payment processors without being penalized for noncompliance themselves. Visa requires all entities that accept credit and debit cards issued under its name to work only with service providers that comply with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS).
But in a research bulletin issued yesterday (download PDF), Gartner analyst Avivah Litan said that customers can continue to utilize Heartland and RBS WorldPay without facing any fines from Visa.
Both payment processors are likely to soon be recertified as PCI-compliant, Litan said in the bulletin. In the interim, their customers have nothing to fear despite the recent delisting, she added, citing a statement that Visa issued to Gartner last week.
The statement clarifies "much of the confusion" that resulted from the delisting, according to Litan, who went on to say that the move was meant to serve as an indication of Visa's willingness to get tough with companies that fail to adequately protect cardholder data. At the same time, "Visa clearly did not want to risk putting the processors out of business, partly because of the potentially enormous disruption to their hundreds of thousands of merchant customers," Litan wrote.
A Heartland spokesman said that "several merchants" had expressed uncertainty over the consequences of Visa's delisting last week. "But Visa has been very good in recent days about clearing up this confusion," the spokesman said via e-mail. He also welcomed Litan's bulletin as being very helpful, "because a third party now reinforces what we believe - that we will return to the PCI DSS compliant list very soon."
A spokesman for RBS WorldPay said that company had no comments to make about the reaction of customers to the delisting move.
RBS WorldPay, an Atlanta-based division of The Royal Bank of Scotland Group PLC, disclosed in December that the personal data of about 1.5 million holders of prepaid payroll and gift cards had been compromised during a system intrusion (download PDF). It said last week that it hopes to be recertified as PCI-compliant by the end of next month.
Princeton, N.J.-based Heartland reported its breach in January, sparking widespread security concerns in the payment card industry and prompting at least eight banks and credit unions to file lawsuits against the company.
Heartland, which processes more than 100 million transactions per month, has yet to say how many card numbers were compromised in the intrusion there. It said last week that its goal is to be recertified by "no later than May."