Visa drops RBS subsidiary from compliance list after data breaches

Two giant payment processors have been de-listed by Visa, but is the move about data security or about future legal action?


Visa last week removed payment processors and RBS WorldPay and Heartland Payment Systems from its list of companies that are compliant with the PCI data security rules following security breaches.

But analysts said the move may be more about protecting Visa itself than about safeguarding payment card data.

RBS WorldPay is a US-based division of The Royal Bank of Scotland Group.

The decision to de-list the two payment processors was based on "compromise event findings," Visa said without elaborating. The company added that it would "consider" RBS WorldPay and Heartland back on the compliant list, but only after they are re-certified by a third-party assessor.

Meanwhile, reports posted by news aggregation site and several blogs that follow the payment card industry blogs also cited a 12 March letter from a Visa executive to banks notifying them that Heartland was now "in a probationary period" during which it would have to meet more stringent security requirements than usual.

RBS WorldPay also was placed on probation, according to, although the payment processor denied that Visa had notified it of any such action.

Gartner analyst Avivah Litan said that if regulations were followed to the letter, Visa's actions mean that merchants could not use either Heartland or RBS WorldPay to process payments if they themselves want to remain compliant with the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS).

It's highly unlikely, though, that Visa intends its sanctions against the two payment processors to be interpreted in such a restrictive way, Litan said.

Follow highlights from ComputerworldUK on Twitter

"Recommended For You"

Retailer faces uphill battle in $13M lawsuit against Visa, analyst says Confused companies get checklist for PCI standard compliance