BreachExchange mailing list archives
Rare Legal Fight Takes On Credit Card Company Security Standards and Fines
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 16 Jan 2012 18:23:08 -0500
Visa and Mastercard fined a restaurant for a breach that two forensics firms could not find evidence even occurred. Once fined, US Banks jumped on to seize assets and have the fines increased. http://www.wired.com/threatlevel/2012/01/pci-lawsuit/ A small celebrity-friendly restaurant in Utah is finally doing what many merchants have only dreamed of doing for a long time — taking on a part of the payment card industry’s powerful but flawed system for securing card data by fining merchants for failing to secure their data. ... U.S. Bank seized about $10,000 from the McCombs’ account to pay $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero’s had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards. U.S. Bank sued the McCombs to obtain the remaining balance on the fines, saying a contract the McCombs signed with the bank makes them liable for such fines. ... The issue began for Cisero’s in March 2008, when Visa notified U.S. Bank that Cisero’s network might have been compromised after cards used at the restaurant were apparently used for fraudulent transactions elsewhere. U.S. Bank, and its Georgia-based affiliate Elavon, process the bank card transactions that customers make at Cisero’s. In the wake of the alleged breach, Cisero’s, per rules imposed by the payment card industry, was required to hire a forensic investigations firm — from a list of six firms approved by Visa and MasterCard — to determine if a breach had occurred and if the restaurant was in compliance with the so-called PCI security standards that were adopted by the Payment Card Industry Council in 2005. The McCombs hired two firms, Cybertrust and Cadence Assurance. Both examined Cisero’s point-of-sale system (POS) and servers and found “no concrete evidence that the POS server suffered a security breach which led to the compromise of cardholder data” and no evidence that insiders had installed skimmers on card readers to collect account data. Cadence in fact determined that no evidence existed that payment card data of any kind was improperly taken from Cisero’s systems. ... Visa determined that the total cost of the liability for Cisero’s noncompliance was $1.33 million, but ultimately set the fine at $55,000, without explaining how it reached these figures, the McCombs claim. MasterCard stated that although it could have imposed a fine of up to $100,000 for the violation of storing card data, it decided to impose a fine of only $15,000. The fines increased after card issuers came forward claiming they suffered losses from the alleged breach. Under recovery programs run by Visa and MasterCard, card issuers that have suffered losses due to data breaches can recover these losses from the bank of the merchant accused of being the source of the breach. So after RBS Citizens Bank and Chase claimed they had suffered $13,849 in losses from fraudulent charges to their customer’s accounts as a result of the alleged breach of Cisero’s network, MasterCard added that to the fine, for a total of about $90,000. ... _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Small, inexpensive USB drives pose huge threats to organizations left unprotected. Download Chapter 1 of CREDANT Technologies eBook Data Protection to the Rescue http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/
Current thread:
- Rare Legal Fight Takes On Credit Card Company Security Standards and Fines Jeffrey Walton (Jan 17)