Mar 17 2009   2:13AM GMT

The Emperor Has No Clothes

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

Visa is in a difficult position: it has said that merchants must be compliant, and the ultimate threat is to pull processing permissions from non-compliant merchants.

But if one of the merchants turns out to be a payment processor that generates huge profits for Visa, do they cut off their nose to spite their face? Evidently not. They just make them non-compliant. Sort of.

According to, Visa has declared that Heartland is no longer on the list of “PCI-compliant” vendors. Rather, Heartland is in a probationary period, with increased oversight, audits, etc.

But wait! In response to this announcement, Heartland declares that it had been compliant in 2008, is undergoing its 2009 assessment, and fully expects to be declared compliant.

(If you go to Heartland’s web site, they have quite a set of web pages on what it “means” to be PCI-compliant. The web page is entitled, “Ensuring You are PCI-Compliant.” They must take this literally, since THEY are not compliant (at least for the moment). Does anyone else besides me find this way too ironic?)

Are you confused yet? I sure am, and I’m the one who is supposed to be the auditor.

In a final expression of revisionist history, Visa is now declaring that “As of today, no compromised entity has been found to be compliant at the time of the breach.” So, temporarily, Heartland is not compliant, so no one who was compliant was…….I’m lost.

When is compliant not compliant? The message is, when Visa says it is. Or not.

PCI – Pay Cash Instead.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: