Heartland Data Breach: Visa Delivers Security Update to Processors

PCI Compliance is Main Theme of Presentation About Threats, Strategies Linda McGlasson • March 17, 2009

In the wake of the Heartland Payment Systems (HPY) data breach, credit card company Visa is on the road talking to its network of payment processors about current security threats and the merits of the Payment Card Industry Data Security Standard (PCI DSS).

PCI compliance is the main theme of a Visa PowerPoint presentation entitled "Security Update," a copy of which was obtained by Information Security Media Group (ISMG). The presentation, dated March 5 and attributed to two of Visa's security leaders, attempts to separate PCI facts from myths, concluding "PCI DSS continues to serve as a robust foundation to protect cardholder data in a static data environment."

The presentation goes on to discuss compromise and compliance trends; details short-term tactical adjustments being weighed by Visa; and then offers a four-point call-to-action to processors to ensure their security programs are comprehensive and current:

Stay up-to-date on security alerts, bulletins and communications from Visa;

Scan networks for malware and IP addresses provided by Visa;

Stay focused on corporate network security;

Provide Visa with a list of affiliated entities/business lines/products that store, process or transmit Visa account numbers or develop payment applications and their respective compliance status.

When reached for comment on the security update, a Visa spokesperson declined, saying the company does not discuss internal documents.

Incident Response

Visa's outreach comes roughly two months after the revelation of the Heartland data breach, in which an undetermined number of consumer credit/debit cards were compromised by hackers in 2008. To date, more than 600 banking institutions have stepped forward to tell ISMG that tens of thousands of accounts were compromised and, in some cases, have been used to commit fraud.

Late last week, Visa announced that Heartland had been removed from its list of PCI DSS compliant service providers.

Visa also announced to card issuers that they have until May 19 to file fraud claims to recover losses resulting from the breach.

Message to Processors

In its security update, Visa covers the current security environment, payment system risk strategy, global data security compliance efforts, compromise trends and PCI DSS.

As PCI DSS compliance rates rise, Visa says, new compromise trends emerge. Most relevant to the Heartland case: Card issuers and processors are increasingly targeted for fraud. Estimating the market value of compromised accounts, Visa says a single check card with track data and PIN information can sell for as much as $1000.

In tackling facts and myths about data compromises, as presented in the news media, Visa says:

No compromised entity has been found to be PCI compliant at the time of the breach;

Visa does support encryption for both online and batch files.

The presentation goes on to cover common compromise vulnerabilities, including:

Failure to secure and monitor connected non-payment environment;

Unprotected systems vulnerable to SQL injection attacks;

Corporate websites targeted to gain access to network;

Malware installed to capture passwords and cardholder data.

Visa then discusses compliance and compromise trends, stating there is too much emphasis on the PCI DSS validation finish line rather than ongoing security and compliance. "PCI DSS compliance is a 24 hour a day, 7 day a week, 365 day a year job," the presentation states.

Tactical Considerations

In discussing Visa's own corporate security measures, the presentation details Visa's global PCI DSS compliance framework, including compliance milestones to be met by merchants and service providers. Visa also discusses its global payment application security network, which includes mandates and deadlines to promote the use of secure applications.

Tactically, Visa says it is weighing several short-term adjustments, including:

Explore opportunities to detect system fraud runs to alert issuers;

Developing a tool for early identification of potential points of compromise;

Accelerate the use of existing fraud prevention tools;

Development of security best practices for issuers;

Ramp up communication campaign related to top vulnerabilities and mitigation strategies;

Enhancing the VNP Risk program.

Talking Points

In addition to the final call-to-action urging participants to continually update and bolster their security programs, Visa raises these questions as discussion points:

How does your organization go beyond PCI DSS to secure cardholder data?

What other standards or frameworks do you use as the basis for your Information Security Program?

How does your entity ensure continuous ongoing PCI DSS compliance?

What other industry best practices do you recommend to promote cardholder data security?

How can we collectively be more effective in protecting the payment system?