It Is Time to Fight Back!
Who are the criminals? For several years now I have fielded Member calls regarding Payment Card Industry (“PCI”) rules and regulations. People often treat these as if they were laws, when, in fact, they are not. They are rules promulgated by the Payment Card Industry Council that is dominated by the card issuers. The Retail Solutions Providers Association (RSPA) fully supports payment card security both at the point of sale and throughout system use. RSPA Members are part of the distribution channel, but along with merchants comprise the two groups most often penalized for violations of the PCI rules and regulations. Merchants and Resellers are not the criminals that hack into systems and steal payment card information, but are the groups that are called upon to pay the price. This price can easily put a Merchant or Reseller out of business.
Many merchants have little alternative but to accept payment cards to conduct their business. Merchants contract with Resellers, Processors, and Banks to establish systems that accept and process their card receipts. Each step involves a contract that receives less and less attention as it progresses up the channel. It should be of no surprise that the Banks, Processors, and System Developers have legal agreements that fully protect them from liability for a system breach by a criminal. Hopefully, Resellers have implemented similar legal protections, but often these are not up to date. Thus when a breach takes place on a system purchased by the Merchant for payment card processing, it is the Merchant with the broadest exposure.
A criminal breach can take months to detect and when that happens a series of events unfold. If the Processor, Bank, or Card Company believes it has identified the source of the breach, funds can be automatically deducted from merchant bank accounts, forensic audits are required, and huge demands are made upon the Merchant in the form of fines, penalties, and the cost to reissue cards. The amounts demanded can be enough to place most merchants out of business and the claimed factual basis for the assessment is not disclosed. Although the fines, charges, and penalties can be placed at six and seven figures, eventually a lesser sum is proposed to resolve the breach and. Although painful; it is usually accepted by the Merchant.
It is virtually impossible for a small Merchant to comply fully with the moving target of PCI rules and regulations. The twelve basic requirements would entail hours and in difficult economic times, businesses lack the manpower for compliance. Merchants are struggling to earn a profit and feel they have purchased systems from others to meet their requirements. Scores of merchants have refused to upgrade systems due to either a lack of funds or trust that it is necessary. Merchant systems are often used for more than credit charge processing and become vulnerable to outside criminals. When the merchant is fined, penalized, and charged he looks to others to make him whole. The Reseller is the most likely step on the ladder. The processor has stopped accepting charges and the bank has taken whatever funds were in the merchant’s account. The merchant and the Reseller often do not have the finances to litigate and therefore in many instances accept a settlement. Merchants are bullied into a settlement and Resellers are required to participate in order to avoid litigation of their own.
An opportunity has arisen to examine the rules and regulations imposed upon merchants. An alleged breach occurred in a restaurant point of sale system. Information suggesting a common point of purchase for the compromised cards does not clearly indicate that the restaurant was in fact the cause of the breach. There has been a forensic audit resulting in the demand for fines and penalties. The basis for the fines and penalties do not correlate to the volume of charges on MasterCard and Visa. Compromise amounts were rejected for Visa due to a lack of support for the amounts. The restaurant and Reseller were sharp enough to change processors immediately and thus only limited amounts were deducted.
The processor has sued the restaurant for the remaining amounts. To RSPA’s knowledge this is the first instance where a merchant has been sued for the amounts demanded for a PCI breach. A leading Washington, DC Law Firm with extensive knowledge of the payment card industry stands ready to defend the merchant and pursue numerous counterclaims. The litigation should provide an opportunity to go behind the demands and determine the legality of the PCI enforcement process and the basis for the amounts claimed.
If you have ever faced or feared a claim based upon a PCI breach this is your opportunity to collectively support litigation challenging both the fairness and the lawfulness of the system. RSPA is not challenging payment card security, but the procedures imposed when a breach occurs or is believed to occur. It is time to fight back! Please join us today with your support.
* RSPA supports PCIFairness.com. We encourage you to donate to help this cause. Please visit PCIFairness.com to donate today.