Re: Unnamed Acquirer Processor Breach Timeline

["DAIL, WILLARD A" <ADAIL () sunocoinc com>]

There is room of an all-day discussion around online merchants, but indirectly you do bring up the point that if the 
issuer knows a card has been compromised and fails to act, does the issuer bear any liability for downstream fraud to 
the merchants, because deactivating the card would have prevented the fraud in most cases (the clerk manually forcing 
approval is the exception).
 
I would think the processing agreement and civil law or Section 5, FTC might not see eye-to-eye here.

________________________________

From: dataloss-bounces () datalossdb org on behalf of Tom Mahoney
Sent: Thu 2/26/2009 5:22 PM
To: dataloss () datalossdb org
Subject: Re: [Dataloss] Unnamed Acquirer Processor Breach Timeline



Am I missing something or are Willard and the rest forgetting an
important part of this 'potential' breach?  Given that there is no
track data involved, it would seem that on-line merchants are at the
most risk here because of chargeback rights.

As the Pennsylvania Credit Union Association so aptly put it, "Since
track data was not compromised, we are not suggesting that you block
and transfer these compromised accounts. Chargeback rights should
exist for all Card Not Present transactions simply by the cardholder
asserting a dispute for the unauthorized transactions.

In other words, issuers shouldn't worry about preemptive card
replacement; they can stick it to the on-line merchants.  Of course
the issuers will gain a few dollars in chargeback fees along the way
and the e-Commerce merchant will loose their product and shipping and
pay the fine for being another victim of fraud.  They are, after all,
the path of least resistance for the issuers.

Tom Mahoney, Founder & Director (and resident cynic)
Over 3800 Merchants united to protect themselves
http://www.merchant911.org <http://www.merchant911.org/> 


At 11:31 AM -0500 2/26/09,  DAIL, WILLARD A typed out:
> An important distinction, I think is issuing bank vs. acquiring bank.
> Imagine the Visa interchange as a cloud in the middle of a page.  To the
> right are the issuing banks.  They carry all of the liability for fraud
> and their customers are the consumer, who uses the credit card.  They
> make their money in interest and fees associated with the consumer's use
> of the card.
>
> To the left of the cloud is the acquiring bank.  Their customers are
> merchants, who they sign up to accept credit cards.  These banks make
> their money from transaction fees levied on the merchant.  Sometimes, an
> entity can be both an issuer, an acquirer (or a gateway, service
> provider, or any number of functional designations), but not always.

--
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss



This message and any files transmitted with it is intended solely for the designated recipient and may contain 
privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in 
whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and 
delete the original and any attachments.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss