Rare Legal Fight Takes On Credit Card Company Security Standards and Fines

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/threatlevel/2012/01/pci-lawsuit/

By Kim Zetter
Threat Level
Wired.com
January 11, 2012

A small celebrity-friendly restaurant in Utah is finally doing what many 
merchants have only dreamed of doing for a long time — taking on a part 
of the payment card industry’s powerful but flawed system for securing 
card data by fining merchants for failing to secure their data.

Stephen and Theodora “Cissy” McComb, owners of Cisero’s Ristorante and 
Nightclub in Park City, Utah, have filed a lawsuit against U.S. Bank 
claiming that the financial institution, which used to process the 
restaurant’s credit and debit card transactions, wrongfully seized money 
from the McCombs’ merchant bank account.

U.S. Bank seized about $10,000 from the McCombs’ account to pay $90,000 
in fines that Visa and MasterCard imposed after alleging that Cisero’s 
had failed to secure its network and suffered a data breach that 
resulted in fraudulent charges on customer bank cards. U.S. Bank sued 
the McCombs to obtain the remaining balance on the fines, saying a 
contract the McCombs signed with the bank makes them liable for such 
fines.

But in their countersuit against U.S. Bank (.pdf), the McCombs allege 
that the bank, and the payment card industry (PCI) in general, force 
merchants to sign one-sided contracts that are based on information that 
arbitrarily changes without notice, and that they impose random fines on 
merchants without providing proof of a breach or of fraudulent losses 
and without allowing merchants a meaningful opportunity to dispute 
claims before money is seized.

[...]

_____________________________________________________
Did a friend send you this article? Make it your
New Year's Resolution to subscribe to InfoSec News!
http://www.infosecnews.org/mailman/listinfo/isn