Visa last week removed payment processors and RBS WorldPay and Heartland Payment Systems from its list of companies that are compliant with the PCI data security rules following security breaches.

But analysts said the move may be more about protecting Visa itself than about safeguarding payment card data.

RBS WorldPay is a US-based division of The Royal Bank of Scotland Group.

The decision to de-list the two payment processors was based on "compromise event findings," Visa said without elaborating. The company added that it would "consider" RBS WorldPay and Heartland back on the compliant list, but only after they are re-certified by a third-party assessor.

Meanwhile, reports posted by news aggregation site and several blogs that follow the payment card industry blogs also cited a 12 March letter from a Visa executive to banks notifying them that Heartland was now "in a probationary period" during which it would have to meet more stringent security requirements than usual.

RBS WorldPay also was placed on probation, according to, although the payment processor denied that Visa had notified it of any such action.

Gartner analyst Avivah Litan said that if regulations were followed to the letter, Visa's actions mean that merchants could not use either Heartland or RBS WorldPay to process payments if they themselves want to remain compliant with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS).

It's highly unlikely, though, that Visa intends its sanctions against the two payment processors to be interpreted in such a restrictive way, Litan said.

Follow highlights from ComputerworldUK on Twitter

RBS WorldPay and Heartland are among the largest payment processors in the world, with hundreds of thousands of customers between them. According to Litan and other analysts, it's unrealistic to expect merchants that rely on those two companies to switch to other payment processing vendors, at least in the short term.

Instead, the sanctions appear be designed primarily to take Visa out of the picture in any legal battles that may ensue as banks and credit unions try to recoup breach-related costs from Heartland and RBS WorldPay, Litan said.

Under Visa's security rules, she noted, a breached entity can avoid fines if it can show that it was in full compliance with the PCI DSS requirements before and at the time when the breach occurred.

Both RBS WorldPay and Heartland previously asserted that they had been assessed as being fully PCI-compliant prior to their respective breaches. Visa now appears to be attempting to make a case that neither company was compliant - a tactic that Litan thinks is aimed at preventing them from using PCI as a shield against lawsuits being filed by banks.

"It's all legal maneuvering by Visa," Litan said. "This is PCI enforcement as usual: They're making the rules up as they go."

David Taylor, founder of PCI Knowledge Base, a Web site that offers advice on PCI-related issues, said he isn't sure exactly what it means for a payment processor to be put on probation by Visa. But he added that he sees the de-listings and the reported probations as an attempt by Visa to show banks and the general public that it's doing something to penalise RBS WorldPay and Heartland for their breaches.

"It's a difficult situation for [Visa]," Taylor said. "Here are two of their larger payment providers with breaches within a relatively short period. Visa wants to let people know that they are serious about security." At the same time, the credit card company appears anxious to avoid any discussions about the effectiveness of the PCI standards, he added.

Taylor agreed with Litan that Visa's move to delist RBS WorldPay and Heartland from its PCI-compliant will have little real impact on merchants that do business with the payment processors. "Just because they're no longer on Visa's list doesn't invalidate the contracts that merchants have with these two processors," he said. "This is all about Visa protecting Visa."

RBS WorldPay disclosed in December that the personal data of about 1.5 million holders of prepaid payroll and gift cards had been compromised during a system intrusion there (download PDF).

Heartland reported a similar breach in January; the company, which processes more than 100 million transactions per month, has yet to say how many card numbers were compromised in the intrusion.

Follow highlights from ComputerworldUK on Twitter

There is precedent for harsh action to be taken against a payment processor that has been breached. When CardSystems Solutions, then a major payment processor, was hit by a data breach that compromised about 40 million payment cards in 2005 - just months after the first version of the PCI standard was announced - Visa and American Express stopped doing business with CardSystems. It was later sold to another company that has since gone out of business.

But Jim Huguelet, an independent PCI analyst said that Visa's relatively modest sanctions against RBS WorldPay and Heartland are understandable given the "competing interests" that the credit card company has to consider in such cases.

"Ultimately, a card processor is a business partner of Visa and the other payment brands - and it's difficult to levy significant sanctions against one of your largest business partners," he said.

In response to a request for comment about the sanctions, Heartland said via e-mail that it is "cooperating fully with Visa and other card brands" to ensure that the payment processing environment is secure.

The statement made no mention of Heartland's removal from the Visa PCI-compliant list or of its reported probation. But Heartland did say that it is undergoing its 2009 PCI assessment and that it hopes to be certified as fully compliant with the security rules by "no later than May 2009."

RBS WorldPay acknowledged that it had been removed from the PCI-compliant list and said that Visa had asked it to obtain a new certification of compliance because of the breach. The payment processor, which was certified as compliant with the PCI rules last June, said its goal is to be recertified by the end of April.

"There have been no material system changes that would have negatively altered [last June's] certification, and we have in fact enhanced the security of our systems in the interim," RBS WorldPay said. "[But] because of the criminal intrusion, we need to be recertified earlier than the normal schedule."

Visa, meanwhile, declined to comment on the implications of its move to delist the two companies, including the issue of whether merchants would be required to sign up with new payment processors in order to remain PCI-compliant.

Follow highlights from ComputerworldUK on Twitter