A key question that needs to be addressed before implementing PCI is first figuring out how your operation is categorized under Visa’s compliance validation guidelines, either as a merchant or a service provider. Then determine which levels of compliance you are required to meet for that category. These levels range from filling out self-compliance reports up to having to submit to an annual on-site review by a Qualified Security Assessor (QSA).
Such questions are important now in the aftermath of data breaches at Heartland Payment Systems Inc. and RBS WorldPay in recent months. In a strange turn, Heartland officials have gone on the offensive in response to Visa’s statement that it had removed Heartland and RBS from its list of PCI-compliant vendors. The removal prompted some competitors to use the incidents to steal customers away, alleged Heartland CEO Robert Carr, who issued a statement threatening legal action if the misinformation campaign continues.
Visa then clarified its statement regarding the removal, saying that despite the delisting, Heartland was still able to process transactions, which may have caused even more confusion. Evan Schuman has a good take on the situation in “Heartland Taking Names And Kicking POS, With Visa’s Help.”
Gartner has come to the rescue somewhat, issuing a statement earlier this week with recommendations for merchants using Heartland or RBS WorldPay:
* Merchants and other card-accepting enterprises using Heartland or RBS WorldPay services: Take no action, because the processors will likely be recertified soon.
* Visa and other card brands: Clarify PCI DSS enforcement policy from this point on and publicly disseminate enforcement policies and ongoing clarifications and refinements to these policies. Strengthen U.S. payment system security by instituting measures (for example, end-to-end card data encryption and stronger cardholder authentication) that go beyond PCI DSS requirements.
* All parties that handle cardholder data: Focus on maintaining continuous cardholder data security, rather than on achieving PCI-compliant status.
For more coverage on PCI: