I know that if there were no merchants there would be no credit card companies and I know that the “alternative” payments market is growing, such as PayPal and V.me, but at this time it is fair to say that consumers still favour credit cards when it comes to online payments.
This is why when I read about a merchant suing a credit card company I was surprised. Not surprised that VISA had fined a merchant, not surprised that a merchant was upset at being fined but surprised it had got to court because that means normal reasonable commercial communication channels had failed.
On the 7th March Sports retailer Genesco filed a lawsuit against Visa to recover nearly $13.3 million in fines that the credit card company issued in January 2013 following a breach of the retailer’s systems.
The lawsuit argues that
- Visa is not allowed to require other companies to pay penalties citing Visa’s own operating regulations and California law.
- That Genesco was never out of compliance with PCI DSS regulations, and so it should not have been fined.
In December 2010 Genesco confirmed that a breach had happened within its credit card processing environment and speculation at the time was the hackers used a packet sniffer to siphon card data as it passed through the network.
The initial VISA fines of $5,000 via each of Genesco’s two banks was issued in June 2011 which is a standard charge and depending on your location will be 5,000 of the local currency for example, $5,000, €5,000 or £5,000.
Irrespective of the currency 5,000 is nothing more than a formal acknowledgement that the merchant is non-compliant to PCI DSS or was at the time.
If a merchant has never successfully completed an Audit or Self Assessment Questionnaire (SAQ) then they are non-compliant, bearing in mind that the standards were issued almost 8 years ago I think it is about time they were compliant.
However, in the case of a merchant who was successfully audited but then had a breach or failed to maintain the standard it is not so black and white.
Merchant who suffers a Data Breach
A PCI DSS compliant merchant who has a data breach is normally discovered by clever algorithms used by the card schemes, which based on fraudulent activity find the centre of the breach. Once the merchant at the centre of the breach is established they are required to undertake data forensics by an approved forensic company who using extensive skills and tools will establish how the credit card data was stolen for example via packet sniffing. The forensic report is shared between the affected parties, the merchant, the bank and the credit card companies.
The results of the forensic investigation may or may not show that the merchant had or had not been compliant to the standard at the time of the breach. It is reasonable to assume that the bad guys installed software or broke into Genesco and almost all scenarios for such a break in are covered by the PCI DSS and therefore the company could not have been taking adequate steps and was by definition not adhering to the requirements of the standard which means they were not compliant.
Merchant who fails to maintain the standard
It is very difficult to find a merchant who has failed to maintain the required standards unless
- There is a breach
- There is a whistle blower
- A customer or someone similar notices practise that do not appear secure
At this point the merchant will be required to prove there are still abiding by the standard which may take the form of a forensics investigation, an audit, a letter from their QSA or a letter from their directors.
The non-compliance fine is not the biggest problem for Genesco it is the $13.3 million fine levied by VISA via Genesco’s two banks (Wells Fargo $12 million and Fifth Third $1.3million) for the costs incurred by VISA whilst resolving the breach e.g. credit card replacement, fraud cover, etc.
Visa’s imposition of the (fines) is a violation of Visa’s contract (with the banks), because at the time of the intrusion and all other relevant times, Genesco was in compliance with the PCI-DSS requirements,” the lawsuit stated. It added later,
“Visa does not even pretend that the Non-Compliance Fines represent actual damages that Visa incurred by reason of the Acquiring Banks‘ alleged failure to cause Genesco to maintain compliance with the PCI-DSS requirements”
The interesting thing for me is the nature of the way Merchants use VISA, MasterCard and the other credit card providers. The credit card company provides the facilities for the merchant’s (retailer) customers to buy from them in a secure and efficient way. They pay a percentage of the transaction to cover the costs (and profits) of the credit card companies and this percentage is agreed in a contract. The same commercial contract that agrees the other terms and conditions including the security required to perform the transaction.
To avoid confusion and rogue traders the credit card companies created the Payment Card Industry Security Standards Council who took the best security practises from the five credit card company members to create the Data Security Standard (PCI DSS).
This standard is an extension of the contract as will be the agreements for fees.
However because the cost of a data breach could never be known until it has occurred it is impossible to quantify the cost of a breach in a contract which is where I do have a great deal of sympathy for merchants because they are agreeing to fines but have no idea how much it is going to be or could be.
I remember in a meeting with several of the card companies and the discussion centred on repeat offenders i.e. merchants who kept being breached or who refused to become compliant to PCI DSS and whilst fines were mentioned it was agreed merchants might be tempted to absorb small fines if it was cheaper than achieving the required security standards and then the ultimate sanction was raised… STOPPING THEM FROM TAKING CREDIT CARD PAYMENTS.
What a sanction that is, because for almost all e-commerce business and most consumer driven business that would mean going out of business in a matter of weeks or possibly months.
As a consumer all I care about is being safe from the costs of the fraudulent activity against my stolen credit card but increasingly we as consumers are worried about the threat to our identity and expect when credit card details are leaked to be covered for all identity based threats resulting from the possible loss of data which increases the cost to the breached company, possibly via the credit card company.
I have a huge amount of sympathy for Genesco and every other merchant affected by a breach because they do not know what the possible cost to them will be. They cannot take out cyber-insurance against a specific amount “just in case”, they have to hope that the loss to the credit card company is not too great.
That is not a great way for a merchant to mitigate its risk and that cannot benefit the card companies who want prosperous and secure merchant to help them grow their profits.
The solution is simple, the credit card companies have to introduce and publish a schedule of fines from which a merchant can calculate their risk.
If a merchant knows, based on their transaction rate, that they could be liable for fines of $13.3 million then they can invest greater resources into breach prevention or seek to undertake insurance against the cost of a breach either way they can make an informed risk assessment.
Similarly if merchants who have not yet completed their PCI DSS compliance process know they could be fined for non-compliance PLUS X or Y for a breach they can will very quickly run a risk assessment.
let’s hope a result of this action is a clearer picture on fines because clarity in business and risk is essential.