An interesting thought exercise is would businesses be compliant with an industry standard, such as PCI DSS, and regularly evaluate their security posture against this standard if there was NO fines, punishments, or financial liabilities present? Would organizations secure and establish the same safeguards, better safeguards, or let the environments float away out of a compliant posture?
These are the questions that comes to mind when reviewing the counter-lawsuit of the Utah Merchant against U.S. Bank claiming that the financial institution wrongfully seized money from their account. The money ($10,000) was seized to pay part of the $90,000 fine that Visa and MasterCard imposed on the establishment.
The case put forward by McCombs is summed up nicely by Wired – Threat Level, and vocalizes some of the complaints heard globally that PCI …
“force[s] merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.”
What is interesting here is that … through forensic review the Merchant systems were proven to not have (likely) been breached, but Visa and MasterCard actually fined the Merchant $1.33 million for being non-compliance (a result of having used 2 of the 6 approved forensic firms). Ultimately the fines were reduced. An additional interesting bit is 2 banks stated they incurred losses as a result of CPP (Common Point of Purchase) breach sourcing technique. This added about $13k additional fines. Despite no evidence being provided.
This is a unique example where the correctness of passing liabilities to merchants and members of the payment card universe will be challenged. As a result the entire underlying Payment Card Data Security realm too.
Businesses of course have incentive to protect customer data, but to what extent and when the liability moves up to the payment gateways, banks, and card brands – how will practices change?
There are great examples of standards that are created collaboratively (NERC CIP pre-Energy Act Law) and adhered to, but there are many where standards exist without true adoption and success.
What will the protection of sensitive card data look like in the near future? How will information security programs evolve when there is no mandate? A lot of questions to consider moving forward.
James DeLuccia IV