PCI and the Data Breach
Today The Official Merchant Services Blog
continues looking at the bigger picture of the impact from the Global Payments Data Breach — specifically looking at the affect it’s going to have on PCI DSS as well as a little foray into State Security Breach Notification Laws.
You’ll remember yesterday we highlighted some of the criticisms found in the PCI DSS
, specifically this article
by Taylor Armerding which suggested that PCI compliance is not enough to protect data from the skilled and focused hackers who cause these data breaches.
We then focused on how PCI Compliance
is still a great foundation for your transaction security. The standards and protocols set up by the council are the first step a merchant needs to take to protect their data. And Host Merchant Services
offers a PCI Compliance Initiative
that helps its merchants quickly and seamlessly take that step.
Still the idea that PCI DSS is not living up to its billing as security shows itself in this story from Wired
about a small business filing suit against against its bank claiming that the financial institution, which used to process the restaurant’s credit and debit card transactions, wrongfully seized money from the business’ merchant bank account. In short, the business is suing the bank for taking funds as penalties for being non-compliant with PCI DSS.
Taking it to Cour
The story explains that Stephen and Theodoara “Cissy” McComb, owners of Cisero’s Ristorante and Nightclub in Park City, Utah, racked up $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero’s had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards. U.S. Bank seized about $10,000 from the McComb’s merchant account to cover those penalties and then sued the McCombs to obtain the remaining balance on the fines, saying a contract the McCombs signed with the bank makes them liable for such fines.
The McCombs struck back with a bold countersuit. The story explains: “But in their countersuit against U.S. Bank, the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.”
This suit challenges the basic foundation of PCI security standards and opens up a lot of old wounds and criticisms about PCI DSS in context of the card issuers that make the call and form the council for PCI DSS. As the story says: “The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.”
The linked article provides much of the details that led to the data breach with Cisero’s, as well as why the fines and penalties were applied according to PCI DSS standards. The McComb countersuit relies heavily on their assertion that PCI DSS oversteps its bounds in applying those penalties, offers no recourse for people to dispute the penalites, and levies penalties against businesses for violations even when no fraudulent transactions occur.
The Cost of a Data Breach
This case above and much of the criticism targeting PCI DSS deals with the fines banks, processors and subsequently merchants face when data gets breached. This article
looks into the cost merchants face when the worst case scenario occurs. A lot of merchants feel that lack of compliance isn’t an issue because they feel they are not responsible of something goes awry. But this article sheds some light on that: “suppose you or your merchant is suspected of one of those inevitable human errors, or of being a victim of a hacker. As long as there isn’t actually a breach, it’s no big deal, right? Wrong.”
The article lists the costs of penalties:
- Forensics Audit done by investigators when they suspect your business is susceptible to a breach: Between $8,000 and $20,000
- $3 to $10 per card to replace all cards compromised in a breach that happens.
- $5,000 to $50,000 in fines for lack of compliance.
- And even further in fines specifically tied to any fraudulent transactions that do occur as a result of the breach.
The article states that the average cost comes to $36,000
, a hefty sum that can cripple small businesses. The McComb data breach may seem high in comparison, but going over the huge variance in the fine structure, it’s pretty easy to see how the bank came to a $90,000 figure.
Back to Global Payments
Speaking of the fees and penalties, it’s interesting to note that the company faces many of the same problems that small businesses do now that Global has been breached and run afoul of Visa in terms of PCI Security and Compliance. However this story for ZDNet
states that the company will likely absorb any costs from the data breach and not be affected as badly as some of the small businesses discussed above are affected by fees and penalties.
Global Payments continues to process, even after being dropped by Visa’s list of providers that meet security standards. The company is now working on being reinstated and once again being PCI Compliant. Working in their favor is their statements that they reported the breach to authorities the moment they found out it happened.
Which brings us to …
Security Breach Notification Laws
Security Breach notification laws were enacted in response to an escalating number of breaches of consumer databases containing personal information. The first such law was the California data security breach notification law, or SB 1386
. It was enacted in 2002 and became effective on July 1, 2003. Currently 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted similar legislation requiring the notification of security breaches involving personal information. The only states that currently have no such law on their books are Alabama, Kentucky, New Mexico and South Dakota.
- Host Merchant Services is located in Delaware. The Delaware Security Breach Notification Law can be reviewed in its entirety at This Link.
- Global Payment Systems is located in Georgia. The Georgia Security Breach Notification Law can be reviewed in its entirety at This Link and its subsequent amendment can be found at This Link.
These laws tend to follow a similar basic structure to the one California passed first in 2002 — companies need to immediately disclose a data breach to customers, usually in writing. There have since been a number of bills that would establish a national standard for data security breach notification but none have been passed in Congress yet.
The Bottom Line
So what does this all mean? For now it appears that Global is weathering the storm brought on by the news of the data breach. They’ve minimized the impact of the bad news and are working to get their compliance situation straightened out. The data breach has put the spotlight onto the PCI DSS itself and we’ve seen that some small businesses and merchants are highly critical of the system. Comparing the crippling fines they can theoretically face for a breach that leads to no fraud against the impact that a large processor like Global faces for the same type of problem can leave some thinking the system needs more oversight. But PCI DSS does set the bar for security. It forces hackers to work harder than they would if it didn’t exist. It is a first step in terms of what merchants and processors need to do to protect transaction and data security.
The court case in Utah is very fascinating as it really takes the contract aspect of the PCI DSS to task. The Official Merchant Services Blog
will continue to follow the news on that case. And we will keep you posted on the latest developments with this Global Payments Data Breach.