Heartland Data Breach: Visa Delivers Security Update to Processors
PCI Compliance is Main Theme of Presentation About Threats, StrategiesPCI compliance is the main theme of a Visa PowerPoint presentation entitled "Security Update," a copy of which was obtained by Information Security Media Group (ISMG). The presentation, dated March 5 and attributed to two of Visa's security leaders, attempts to separate PCI facts from myths, concluding "PCI DSS continues to serve as a robust foundation to protect cardholder data in a static data environment."
The presentation goes on to discuss compromise and compliance trends; details short-term tactical adjustments being weighed by Visa; and then offers a four-point call-to-action to processors to ensure their security programs are comprehensive and current:
When reached for comment on the security update, a Visa spokesperson declined, saying the company does not discuss internal documents.
Incident Response
Visa's outreach comes roughly two months after the revelation of the Heartland data breach, in which an undetermined number of consumer credit/debit cards were compromised by hackers in 2008. To date, more than 600 banking institutions have stepped forward to tell ISMG that tens of thousands of accounts were compromised and, in some cases, have been used to commit fraud.
Late last week, Visa announced that Heartland had been removed from its list of PCI DSS compliant service providers.
Visa also announced to card issuers that they have until May 19 to file fraud claims to recover losses resulting from the breach.
Message to Processors
In its security update, Visa covers the current security environment, payment system risk strategy, global data security compliance efforts, compromise trends and PCI DSS.
As PCI DSS compliance rates rise, Visa says, new compromise trends emerge. Most relevant to the Heartland case: Card issuers and processors are increasingly targeted for fraud. Estimating the market value of compromised accounts, Visa says a single check card with track data and PIN information can sell for as much as $1000.
In tackling facts and myths about data compromises, as presented in the news media, Visa says:
The presentation goes on to cover common compromise vulnerabilities, including:
Visa then discusses compliance and compromise trends, stating there is too much emphasis on the PCI DSS validation finish line rather than ongoing security and compliance. "PCI DSS compliance is a 24 hour a day, 7 day a week, 365 day a year job," the presentation states.
Tactical Considerations
In discussing Visa's own corporate security measures, the presentation details Visa's global PCI DSS compliance framework, including compliance milestones to be met by merchants and service providers. Visa also discusses its global payment application security network, which includes mandates and deadlines to promote the use of secure applications.
Tactically, Visa says it is weighing several short-term adjustments, including:
Talking Points
In addition to the final call-to-action urging participants to continually update and bolster their security programs, Visa raises these questions as discussion points: