Wednesday, March 18, 2009

Heartland and Visa - a big case of CYA?

The latest salvo in the Heartland saga is Visa's decision to delist both Heartland and RBS WorldPay from the PCI DSS compliance list. According to a harsh assessment by Avivah Litan, Gartner analyst: "It's all legal maneuvering by Visa," Litan said. "This is PCI enforcement as usual: They're making the rules up as they go."

Ouch. These are interesting developments, and raises some questions -

  • Is complying to PCI not enough anymore?
  • Was Heartland really compliant?
  • Or did the auditors not do a good job when they looked at Heartland?
  • Do compensating controls not do the work?
  • Is the PCI standard too vague and open to interpretation?
  • Or is Visa just ensuring it does not get caught in the legal storm brewing around the breach?

Questions, questions...

I hope that this drives the industry forward in creating better standards, better auditors and better solutions that can address the increased threats we face daily - all we can hope is look for the silver lining in this debacle...

No comments: