NEW YORK (3/16/09)--Credit card processors Heartland Payment Systems and RBS WorldPay have been removed from Visa's list of service providers that are compliant with Payment Card Industry Data Security Standards (PCI DSS), Visa announced Friday. Both processors have had massive data breaches in recent months affecting hundreds of credit unions and banks and thousands of members. The decision is significant because merchants accepting Visa and MasterCard are required to use processors that are PCI compliant or risk paying fines themselves (SCMagazine March 13). Key players in the card industry had established a single standard to serve as a consistent framework of data security requirements. "Compliance with the PCI DSS has significantly reduced unauthorized access to cardholder data," Visa said Friday. "Recently Heartland Payment Systems and RBS WorldPay publicly disclosed unauthorized access to their systems resulting in the compromise of card account information from all major card brands, "Visa said. "Based on compromise event findings, Visa has removed Heartland and RBS WorldPay from its list of PCI DSS compliant service providers." However, Visa added that "Heartland and RBS WorldPay are actively working on revalidation of PCI DSS compliance using a Qualified Security Assessor. Visa will reconsider relisting both organizations following their submissions of their PCI DSS reports on compliance." Heartland, which disclosed Jan. 20 that a malicious software may have exposed tens of millions of records from its system to hackers, said in a statement it was "pleased to continue our long relationship with Visa. Heartland is cooperating fully with Visa and other card brands, and we are committed to having a safe and secure processing environment." It had been certified as PCI-Dss compliant in April 2008. Its assessment will be completed by May, Heartland said. (TheTechHerald March 13). RBS's data breach, announced in December, compromised 1.5 million cards. The breaches, as well as those of the Hannaford Bros. grocery chain and discount retailer TJX Cos., have all affected credit unions. But Hannaford and Heartland had said they were PCI DSS compliant at the time of the breaches. As a result, there has been debate about the effectiveness of the standards against highly sophisticated organized networks of cybercriminals. Meanwhile in another development, a data breach announced in late February that affected credit unions and banks was not a breach of a new payment processor, but was instead related to an earlier incident, Visa said last week. It did not identify the unnamed card processing company (Computerworld March 9). News of it surfaced when Visa and MasterCard began to quietly alert credit unions and banks that an unnamed credit card processing company experienced a compromise of its systems (News Now Feb. 24).