Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


01:10 AM

Genesco Lawsuit Could Shake PCI Compliance Regime To Its Core

If courts were to reverse $13 million in fines levied by Visa against the retailer, it could take a lot of wind out of PCI's sails

As the security industry digests the news that for the first time a merchant is taking a major card brand and its payment processor to court over PCI noncompliance fines, speculation has started to fly about the long-range impact the case could have on the PCI compliance ecosystem.

On its face, the $13 million complaint from Tennessee-based retailer Genesco against Visa seems like pretty standard business litigation. But according to some, the suit has the potential to disrupt PCI's influence in the merchant community.

"It really doesn't look on the first account to be a very big case, but it's the first retailer that kind of goes up against the establishment," says Torsten George, vice president of worldwide marketing, products, and support for Agiliance. "If the court would decide to reverse the penalties imposed on Genesco, it would really shake the foundation of the PCI Security Standards Council to its core."

[How efficient are your compliance practices? See 7 Routes To Reducing The Compliance "Tax".]

Last week, Genesco petitioned the court in Tennessee to order to reimburse the company for more than $13.3 million in penalties collected on behalf of the card brand by payment processors Wells Fargo And Fifth Third Financial Corp. following a 2010 data breach at the sports retailer. The heart of the case revolves around Visa's contractual language about what constitutes noncompliance for the sake of the levying of fines. In its suit, Genesco contends that it was in compliance with PCI rules at the time of the breach.

Some security experts have little patience for Genesco's quibbling, arguing that the firm should divert resources away from the courtroom and into the data center to improve its security program. "This lawsuit strikes me as a little ridiculous," says Tim 'TK' Keanini, chief research officer for nCircle. "Genesco would be far better off spending those legal fees on a more effective security program so they can better protect their customers in the future."

According to Keanini, PCI as a standard sets the minimum level of security for regulated merchants pretty low. He doesn't agree with George that the case will have much of a long-term affect on PCI, but he says it should offer some warning to insecure but QSA-approved organizations.

"I seriously doubt that this lawsuit will have any impact at all on the standard, but it should be a cautionary tale for all merchants," he says. "You can be PCI-compliant and still be breached -- it's time for everyone to step up their security game or suffer the consequences.”

Some experts point out that the root cause of conflict in this case isn't necessarily about the security standards themselves, but in how the card brands and payment processors choose to inflict financial penalties due to noncompliance and breach events.

"This is a PCI contract dispute," says William Hugh Murray, an information assurance executive consultant, trainer, and associate professor at the Naval Postgraduate School, who says the courts are around for just this kind of clash. "This particular dispute arises, in part, because the payment processors deduct their 'fines' from the revenue they collect for the merchant. The merchant has to sue the payment processor to get his money back rather than the processor having to sue the merchant to collect the fine. There is a presumption in favor of the payment processor built into the system."

In fact, a number of controversial storms has been brewing over payment processor and card company financial repercussions around PCI. For example, George notes that many within the security industry have grumbled at the lack of standards in the way penalties are levied against breached or noncompliant companies.

"You can see if you read through the case, MasterCard assessed over $2 million in penalties, and Visa went out and said, 'Well, we are going to charge you more than $13 million,'" he says, "so it's obviously subjective."

And those are just the fines levied by the card brands through their acquiring banks or processors as a consequence of a breach. There is also the controversial matter of monthly PCI noncompliance fees charged by payment processors against small to midsize merchants.

According to Alan Shimel, co-founder and managing partner at The CISO Group, the revenue stream generated by these fees is the dirty little secret of the PCI world. Averaging at between $10 to $30 per month, but sometimes creeping up to as $100 per month per noncompliant merchant, the fees are often viewed as a cost of doing business by many smaller merchants that haven't yet bothered to invest in security. While the ostensible idea behind the fees is to convince these firms to get with the program, the revenue model creates a perverse disincentive for processors to push them to do so, Shimel says.

"You could say that not only is there not an incentive to get these smaller merchants compliant, but that these processes are financially disincentivized to do so," he says. "Even if you were to say only 40 percent of the millions of small merchants out there were noncompliant -- and believe me, that number is probably a lot higher -- if you multiply that by $20, $30, or $40 per month, that's millions of dollars a month that these processors are making on those fees."

According to George, one of the best outcomes of the Genesco case would be if it would spur the creation of an independent governing body that would assess PCI compliance and the penalties associated with it. Though the PCI Data Security Standards Council does a lot to maintain the integrity of the standard itself and the certification of Qualified Security Assessors, the brands and processors are left to decide the fate of noncompliant organizations in their own way.

"Maybe this case causes Visa to change its mind and say, 'this causes bad publicity for us, so maybe we have to tweak our regulations more, maybe we set up an independent review board that looks if there was a breach,'" George says. "The board could consist of merchant representatives. and they're the ones that determine what the penalties are."

Regardless of the effects of the Genesco case, the landmark lawsuit is definitely a symptom of a much-needed shakeup of the PCI enforcement process and potentially the need for card brands and acquiring banks to share in the pain of their merchants, says John Pescatore, director of emerging security trends at the SANS Institute.

"I don't know the chances of this lawsuit succeeding, but the card brands and the PCI enforcement process do need a shakeup," he says. "While the merchants do and should always bear the brunt of the costs when they are at fault for an exposure incident, the enforcement process seems to almost invariably shield the card brands and the acquiring banks from any of the PCI compliance enforcement pain."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
3/22/2013 | 11:35:16 PM
re: Genesco Lawsuit Could Shake PCI Compliance Regime To Its Core
I'm very curious to see the outcome of this lawsuit. I think the PCI program is set up in such a way that the card brands can retroactively deny compliance status if there's a breach. But a compliant company does not mean an invulnerable one.

Drew Conry-Murray
Editor, Network Computing
Brando the Mando
Brando the Mando,
User Rank: Apprentice
3/21/2013 | 8:54:48 PM
re: Genesco Lawsuit Could Shake PCI Compliance Regime To Its Core
It's not a PCI contract dispute but a op-regs dispute. It's also irresponsible to say that a $13M vs $2M fine is subjective. Visa's ADCR process details how fines are calculated pretty specifically. I'm not aware of another "public" document from another brand that details their structure. That said, we don't know the nature of what was compromised to even make that claim. For example if 7 times more Visa data was taken than MC data, the fines make sense.

Also, the LAST thing we need is another independent governing body. This would be a huge waste of time and resources.
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.