Comments on: Visa Suspends Heartland: A Little Revisionist History?

By: Anthony M. Freed

Anthony M. Freed — Wed, 18 Mar 2009 03:48:14 +0000

I think it will be sometime later this year that we finally find out that there have been multiple breaches across the entire industry, and they are most likely related.

The extent of the breach is so pervasive that to suspend any one processor would be precedent to suspend them all once the full impact of this complete undermining of PCI DSS is revealed.

I’ll throw out another prediction: Bob Carr of Heartland is going to resign shortly, and it may be due to the SEC/FTC investigation.

As of the 3-11-09, Robert O. Carr is completely divsted from the company he built.

Yes, there was a recent “forced sale” of stock that was collateral for HPY loans, but there is obviously more to all of this than we know now.

One more, just for luck: The cost to HPY to replace the compromised cards, even if only at $2 a pop, could easily reach levels that rival their market cap – and that would be big trouble.

If the costs, fines, and lawsuits add up to around $100 Million, HPY would very likely go into bankruptcy.

If HPY is BK – then it’s number one creditor, Key Bank, takes a big hit.

So, theoretically, the breach at Heartland could cause a stable bank like Key to become a another TARP sucking blight on our nation, and more shareholders will have been unnecessarily harmed.

And there are way worse processors than Heartland – where will their clients turn?

By: Anton Chuvakin

Anton Chuvakin — Mon, 16 Mar 2009 17:52:33 +0000

â€œAs of today, no compromised entity has been found to be compliant at the time of the breach.â€ And it shall forever be so.”

Why do you think that, about the “forever” part? Today “change after the assessment” scenario is the one leading to breaches, but in the future it might well change: for example, if some co is breached via a mechanism not covered by PCI than the above will not longer be true.

Thus, â€œAs of today, no compromised entity has been found to be compliant at the time of the breachâ€ might well represent today’s reality, not simply marketing posturing…

By: Greg

Greg — Mon, 16 Mar 2009 16:04:30 +0000

The question to me seems to be this: During the post-breach investigation, was the breach possible because of a failure to properly implement a PCI requirement? That is the important question.

The next, much less important question may be: Were there any MATERIAL PCI requirements not met that DID NOT contribute to the breach.

And then, finally, Were there any NON-Material PCI requirements not met (like a signature missing from an acceptable use policy).

The binary view of PCI complaince does not serve very well when trying to understand how high the wall is built to keep the bad guys out.

By: Howard Falcon

Howard Falcon — Mon, 16 Mar 2009 15:22:38 +0000

Would anyone expect anything else? Did anyone expect that Hartland would have to stop taking transactions? Does anyone believe that the credit card associations care about anything other than their own Brand?

Altbough PCI is a valuable organization in that controls are need to protect card holders and their data, should the card associations be controlling it or is it objective enough to faily provide regulations at all levels regardless of it size and service?

Major Point… If you are hacked, by definition you can’t be PCI compliant.

By: Rob Martell

Rob Martell — Sat, 14 Mar 2009 04:08:21 +0000

Haha. In my past life, when dealing with auditors, we always figured that if we thought something was questionable (expense or asset sort of thing) then we would do a best-guess and let the auditors find it. Mostly because if auditors don’t find SOMETHING to quibble about, they will get so anal that it wasn’t even mentionable in public.

Just for Grins,
R