Rare Legal Fight Takes On Credit Card Company Security Standards and Fines

[Jeffrey Walton <noloader () gmail com>]

Visa and Mastercard fined a restaurant for a breach that two forensics
firms could not find evidence even occurred. Once fined, US Banks
jumped on to seize assets and have the fines increased.

http://www.wired.com/threatlevel/2012/01/pci-lawsuit/

A small celebrity-friendly restaurant in Utah is finally doing what
many merchants have only dreamed of doing for a long time — taking on
a part of the payment card industry’s powerful but flawed system for
securing card data by fining merchants for failing to secure their
data.
...

U.S. Bank seized about $10,000 from the McCombs’ account to pay
$90,000 in fines that Visa and MasterCard imposed after alleging that
Cisero’s had failed to secure its network and suffered a data breach
that resulted in fraudulent charges on customer bank cards. U.S. Bank
sued the McCombs to obtain the remaining balance on the fines, saying
a contract the McCombs signed with the bank makes them liable for such
fines.
...

The issue began for Cisero’s in March 2008, when Visa notified U.S.
Bank that Cisero’s network might have been compromised after cards
used at the restaurant were apparently used for fraudulent
transactions elsewhere. U.S. Bank, and its Georgia-based affiliate
Elavon, process the bank card transactions that customers make at
Cisero’s.

In the wake of the alleged breach, Cisero’s, per rules imposed by the
payment card industry, was required to hire a forensic investigations
firm — from a list of six firms approved by Visa and MasterCard — to
determine if a breach had occurred and if the restaurant was in
compliance with the so-called PCI security standards that were adopted
by the Payment Card Industry Council in 2005.

The McCombs hired two firms, Cybertrust and Cadence Assurance. Both
examined Cisero’s point-of-sale system (POS) and servers and found “no
concrete evidence that the POS server suffered a security breach which
led to the compromise of cardholder data” and no evidence that
insiders had installed skimmers on card readers to collect account
data. Cadence in fact determined that no evidence existed that payment
card data of any kind was improperly taken from Cisero’s systems.
...

Visa determined that the total cost of the liability for Cisero’s
noncompliance was $1.33 million, but ultimately set the fine at
$55,000, without explaining how it reached these figures, the McCombs
claim. MasterCard stated that although it could have imposed a fine of
up to $100,000 for the violation of storing card data, it decided to
impose a fine of only $15,000.

The fines increased after card issuers came forward claiming they
suffered losses from the alleged breach. Under recovery programs run
by Visa and MasterCard, card issuers that have suffered losses due to
data breaches can recover these losses from the bank of the merchant
accused of being the source of the breach. So after RBS Citizens Bank
and Chase claimed they had suffered $13,849 in losses from fraudulent
charges to their customer’s accounts as a result of the alleged breach
of Cisero’s network, MasterCard added that to the fine, for a total of
about $90,000.
...
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/