The Latest Chapter In Heartland's Alice In Wonderland PCI Journey

The back-and-forth compliance dance that is being forced upon Heartland Payment Systems took its latest journey through the PCI Looking Glass Friday (May 1), with Heartland declaring that it has now returned to Visa's list of PCI DSS validated service providers (aka the list of providers that Visa heartily recommends today but will deny ever having heard if they're breached tomorrow).

The journey began when Heartland was certified PCI compliant April 2008. A few months later, Heartland was severely breached and Visa began its revisionist history dance. Given a public stance that no PCI-compliant merchant or processor had ever been breached, Visa determined that Heartland therefore could not have been truly compliant in April 2008. On March 12, 2009, Visa removed Heartland from the compliant list.

But just in case someone might mistake this move as Visa actually caring about security, Visa stressed to retailers that everything was OK and that they were completely safe in using Heartland anyway. It wasn't quite "ignore that man behind the curtain" but it was close. (I know that I'm mixing literary metaphors, with both Alice's Adventures in Wonderland and The Wizard of Oz, but the circumstances make it hard to resist. At least not I'm not casting Visa as the Cowardly Lion who makes a fierce sound but is ultimately gutless when pushed. Give me some credit for that.)

Heartland is now being certified again as being PCI compliant. Are these the same people that certified Heartland the first time? I withdraw. Such things are not polite to ask. So now the certification—which Visa says is terribly important, except when they say otherwise—is back on.

What should a retailer do with this information? Exactly what Visa had suggested: ignore it. The PCI program is a very good cause and should be applauded, but the very nature of security programs make the mechanisms of the point-in-time based-on-whatever-the-assessor-is-shown assessments not especially meaningful to outsiders.

To the retailer or the assessor, it could flag trouble spots, but a processor that is labeled PCI compliant very well may not be. (My colleague, Dave Taylor, last week brilliantly detailed why the PCI grading system doesn't work.) That leaves retailers with the same due diligence process they've relied on for decades when evaluating security partners: Ask a ton of questions, talk with others in the community, make your best choice, have the lawyers carefully craft agreements and then watch everyone carefully.

But ultimately, there is no PCI safe harbor and there really never was. Using people on a list provides no guarantees, nor should it. In the meantime, it's good to know that Visa has welcomed Heartland back to the list that they told people to not worry about. The Mad Hatter and the Cheshire Cat would have been proud.