Visa issued a statement "clarifying" their original position, despite the fact that their original position was quite clear. Gartner issued a brief report Monday (March 23) saying that "this statement clarifies much of the confusion that arose after Heartland and RBS WorldPay were removed from Visa's list of PCI-certified service providers. Visa had to stand by its long-standing policy, but its delisting decision had raised questions about whether the processors' clients could continue to do business with them."
That's the part where I get lost. What was so confusing about Visa's original statement that "Heartland will continue to serve as a processor in the Visa system"? Did people think that Visa would tell retailers that a vendor "will continue to serve as a processor in the Visa system" and then turn around and fine—or decertify—them for doing so?
Some of the explanation behind this comes from Heartland itself, which added some clarifications of its own on its site in an area written for merchants. "You may have been approached by Heartland's competitors making false claims such as: 'You could be fined because you use Heartland' or 'You will not be PCI compliant if you use Heartland.' Through a series of cease and desist letters, Heartland has informed competitors that their untrue and misleading claims are baseless and unlawful. Heartland intends to initiate legal action against them if they do not immediately stop making these claims."
What's this? A breached processor actively defending itself? Rivals are not the only ones to feel Heartland's ire. Last Thursday (March 19), a software security company called Cloakware issued a news release about five security holes that it wanted to flag to the world. This wasn't exactly a lot of insightful surprising stuff (the top item on their list was "Using Vendor-Supplied Default Passwords," followed by "unsecured access to cardholder data"). But what caught our eye was a reference near the end of the statement that said, "Heartland Payment Systems recently announced that tens of millions of credit and debit card transactions were compromised, signaling the worst breach in the Payment Card Industry history."
Funny, I hadn't recalled seeing any such statement from Heartland and I somehow think I would have remembered that one.
Indeed, Heartland has been almost robotic in its consistency that it has had no clue how much data—if any—has been captured. A spokesperson for Cloakware—Katy Zack—defended the reference, saying that Heartland has said that it handles 100 million transactions a month and that it has been breached. Therefore, a very generous definition of compromised would include any piece of data inside any entity whose security has been penetrated. To be precise, Zack pointed to a USA Today story and said that Heartland was quoted as describing "hundreds of millions of transactions," but the story merely said 100 million. No matter. "In Cloakware's press release, we inferred that it was put in the public domain via an interview with the company's president and CFO," Zack wrote. "We just said that these transactions were compromised, not stolen."
That's a very fine line, but vendors going for informational stretches is nothing unusual. What was unusual was what happened next. Asked to verify that they hadn't changed their tune, Heartland spokesman Jason Maloni assured us that they hadn't. Later that evening, PRNewswire issues the following notice: "In the news release, Top Five Pitfalls Identified for Securing Retail Cardholder Data, issued March 19, 2009 by Cloakware Inc. over PR Newswire, we are advised by the company that the ninth paragraph in the original release should be disregarded." Yep, that disappearing graf was the one referencing Heartland, the exact paragraph Cloakware had just defended.
There is something delightfully refreshing about how Heartland is handling this breach. Consistency, openness and an insistence on the truth? I could so very easily get used to that.
To be fair, Heartland hasn't been perfect and there are still many holes in its public tale. At this late stage, it begs credulity for them to still say they have no rough idea of how many pieces of data have been grabbed. But there's still something nice about waiting to have relatively solid details before making a statement.