Payments giant Visa has withdrawn PCI DSS compliance from RBS WorldPay and Heartland Payment Systems, following massive data breaches.
Visa administers the Payments Card Industry Data Security Standard (PCI DSS), which organisations should conform to to be able to process, store, and transmit cardholder data.
Visa told ZDNet UK in a statement on Monday that it had removed PCI compliance from the companies following data breaches last year.
"Recently, Heartland Payment Systems and RBS WorldPay publicly disclosed unauthorized access to their systems resulting in the compromise of card account information from all major card brands," said the Visa statement. "Based on compromise event findings, Visa has removed Heartland and RBS WorldPay from its list of PCI DSS compliant service providers, which can be found at www.visa.com/cisp. Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a Qualified Security Assessor. Visa will consider relisting both organizations following their submissions of their PCI DSS reports on compliance."
RBS WorldPay announced on 23 December that 1.5m cardholders may have been affected by inappropriate access to its systems, while Heartland announced in January that it had suffered an information breach that could have compromised millions of credit-card details.
Heartland confirmed that its PCI compliance had been withdrawn, while a Heartland spokesperson told ZDNet UK that the company expected "to be in Visa's good graces fairly soon."
"Heartland is cooperating fully with Visa and other card brands and we are committed to having a safe and secure processing environment," said the statement. "Heartland was certified as PCI-DSS compliant in April 2008 and expects to continue to be assessed as PCI-DSS compliant in the future. We’re undergoing our 2009 PCI-DSS assessment now, which Heartland believes will be complete no later than May 2009 and will result in Heartland, once again, being assessed as PCI-DSS compliant."
The Heartland spokesperson added that the majority of information that had been exposed was not personally identifiable, although card holder names, card numbers and expiration dates had been compromised.