We've noted the often staggering fees associated with a credit card breach, normally accompanied by a slew of bad press. We've seen Stratfor, in light of their recent hack, dealing with public exposure issues due, in part, to unencrypted payment card information (for which, to their credt, they’ve publicly apologized for). Now we see a merchant questioning the Payment Card industry (PCI) and their bank regarding penalties perceived as heavy-hande, often confiscated from the merchant’s bank account with little notification and little recourse.
Of course, we recommend a series of steps to secure your infrastructure against potential breaches in the first place, including encrypting payment card information. But in this case, Cisero’s Ristorante and Nightclub, in Utah, purchased their Point-of-Sale technology from a third party (which is quite common) named Micros, who allegedly violated Payment Card Industry (PCI) compliance by storing unencrypted payment card data. The restaurant owners claim they didn’t know information was unencrypted – most POS user merchants probably wouldn’t either. That didn’t stop the restaurant owners’ merchant bank account from being emptied, and they’re more than a little upset.
Since their account didn’t contain a balance equal to the penalty fees assessed by Visa during the breach, U.S. Bank took their existing balance, about $10,000, applied it toward the fees and then sued them for the balance – some $90,000.
The restaurant owners fought back. In a countersuit filed against U.S. Bank and its affiliate Elavon, they criticize the lack of “proper notification and opportunity to contest the false assumptions underlying the penalties.” They say the money is seized up front following an allegation of a breach, and the merchant has little recourse.
Because of the lack of formal dispute process, they allege the payment card vendors treat it as a quick-profit center, stating in the counter-suit, “These are punitive fines that bear no relation to any amount of actual losses. In fact, Visa and MasterCard will impose these fines even though there has been no fraud loss at all because these fines are profitable to them. Ultimate liability for the fines flows to the merchants like Cisero’s.”
The restaurant owners also question whether it can be proven that the breach actually occurred at their restaurant at all. The methodology for “proving” that the breaches occurred at the restaurant is in question – they want proof the breach occurred from payment card information captured at their establishment. The owners say they hired two third party security firms who found no evidence of a breach at their restaurant.
Regardless of the outcome, the message for small business is that they should do everything they can to avoid a breach, including knowing something about the security stance of any third party providers they contract with that may handle sensitive data. If you’re a small business and this is outside of your core expertise, having an annual security audit, even if informally, makes some sense. Of course, some small businesses (or large) haven’t taken the simple steps to encrypt their own sensitive data, which often has a very low cost to implement and can go along ways towards thwarting attackers and avoiding public embarassment.
Author Cameron Camp, ESET