Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

3/21/2013
01:10 AM
50%
50%

Genesco Lawsuit Could Shake PCI Compliance Regime To Its Core

If courts were to reverse $13 million in fines levied by Visa against the retailer, it could take a lot of wind out of PCI's sails

As the security industry digests the news that for the first time a merchant is taking a major card brand and its payment processor to court over PCI noncompliance fines, speculation has started to fly about the long-range impact the case could have on the PCI compliance ecosystem.

On its face, the $13 million complaint from Tennessee-based retailer Genesco against Visa seems like pretty standard business litigation. But according to some, the suit has the potential to disrupt PCI's influence in the merchant community.

"It really doesn't look on the first account to be a very big case, but it's the first retailer that kind of goes up against the establishment," says Torsten George, vice president of worldwide marketing, products, and support for Agiliance. "If the court would decide to reverse the penalties imposed on Genesco, it would really shake the foundation of the PCI Security Standards Council to its core."

[How efficient are your compliance practices? See 7 Routes To Reducing The Compliance "Tax".]

Last week, Genesco petitioned the court in Tennessee to order to reimburse the company for more than $13.3 million in penalties collected on behalf of the card brand by payment processors Wells Fargo And Fifth Third Financial Corp. following a 2010 data breach at the sports retailer. The heart of the case revolves around Visa's contractual language about what constitutes noncompliance for the sake of the levying of fines. In its suit, Genesco contends that it was in compliance with PCI rules at the time of the breach.

Some security experts have little patience for Genesco's quibbling, arguing that the firm should divert resources away from the courtroom and into the data center to improve its security program. "This lawsuit strikes me as a little ridiculous," says Tim 'TK' Keanini, chief research officer for nCircle. "Genesco would be far better off spending those legal fees on a more effective security program so they can better protect their customers in the future."

According to Keanini, PCI as a standard sets the minimum level of security for regulated merchants pretty low. He doesn't agree with George that the case will have much of a long-term affect on PCI, but he says it should offer some warning to insecure but QSA-approved organizations.

"I seriously doubt that this lawsuit will have any impact at all on the standard, but it should be a cautionary tale for all merchants," he says. "You can be PCI-compliant and still be breached -- it's time for everyone to step up their security game or suffer the consequences.”

Some experts point out that the root cause of conflict in this case isn't necessarily about the security standards themselves, but in how the card brands and payment processors choose to inflict financial penalties due to noncompliance and breach events.

"This is a PCI contract dispute," says William Hugh Murray, an information assurance executive consultant, trainer, and associate professor at the Naval Postgraduate School, who says the courts are around for just this kind of clash. "This particular dispute arises, in part, because the payment processors deduct their 'fines' from the revenue they collect for the merchant. The merchant has to sue the payment processor to get his money back rather than the processor having to sue the merchant to collect the fine. There is a presumption in favor of the payment processor built into the system."

In fact, a number of controversial storms has been brewing over payment processor and card company financial repercussions around PCI. For example, George notes that many within the security industry have grumbled at the lack of standards in the way penalties are levied against breached or noncompliant companies.

"You can see if you read through the case, MasterCard assessed over $2 million in penalties, and Visa went out and said, 'Well, we are going to charge you more than $13 million,'" he says, "so it's obviously subjective."

And those are just the fines levied by the card brands through their acquiring banks or processors as a consequence of a breach. There is also the controversial matter of monthly PCI noncompliance fees charged by payment processors against small to midsize merchants.

According to Alan Shimel, co-founder and managing partner at The CISO Group, the revenue stream generated by these fees is the dirty little secret of the PCI world. Averaging at between $10 to $30 per month, but sometimes creeping up to as $100 per month per noncompliant merchant, the fees are often viewed as a cost of doing business by many smaller merchants that haven't yet bothered to invest in security. While the ostensible idea behind the fees is to convince these firms to get with the program, the revenue model creates a perverse disincentive for processors to push them to do so, Shimel says.

"You could say that not only is there not an incentive to get these smaller merchants compliant, but that these processes are financially disincentivized to do so," he says. "Even if you were to say only 40 percent of the millions of small merchants out there were noncompliant -- and believe me, that number is probably a lot higher -- if you multiply that by $20, $30, or $40 per month, that's millions of dollars a month that these processors are making on those fees."

According to George, one of the best outcomes of the Genesco case would be if it would spur the creation of an independent governing body that would assess PCI compliance and the penalties associated with it. Though the PCI Data Security Standards Council does a lot to maintain the integrity of the standard itself and the certification of Qualified Security Assessors, the brands and processors are left to decide the fate of noncompliant organizations in their own way.

"Maybe this case causes Visa to change its mind and say, 'this causes bad publicity for us, so maybe we have to tweak our regulations more, maybe we set up an independent review board that looks if there was a breach,'" George says. "The board could consist of merchant representatives. and they're the ones that determine what the penalties are."

Regardless of the effects of the Genesco case, the landmark lawsuit is definitely a symptom of a much-needed shakeup of the PCI enforcement process and potentially the need for card brands and acquiring banks to share in the pain of their merchants, says John Pescatore, director of emerging security trends at the SANS Institute.

"I don't know the chances of this lawsuit succeeding, but the card brands and the PCI enforcement process do need a shakeup," he says. "While the merchants do and should always bear the brunt of the costs when they are at fault for an exposure incident, the enforcement process seems to almost invariably shield the card brands and the acquiring banks from any of the PCI compliance enforcement pain."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
3/22/2013 | 11:35:16 PM
re: Genesco Lawsuit Could Shake PCI Compliance Regime To Its Core
I'm very curious to see the outcome of this lawsuit. I think the PCI program is set up in such a way that the card brands can retroactively deny compliance status if there's a breach. But a compliant company does not mean an invulnerable one.

Drew Conry-Murray
Editor, Network Computing
Brando the Mando
50%
50%
Brando the Mando,
User Rank: Apprentice
3/21/2013 | 8:54:48 PM
re: Genesco Lawsuit Could Shake PCI Compliance Regime To Its Core
It's not a PCI contract dispute but a op-regs dispute. It's also irresponsible to say that a $13M vs $2M fine is subjective. Visa's ADCR process details how fines are calculated pretty specifically. I'm not aware of another "public" document from another brand that details their structure. That said, we don't know the nature of what was compromised to even make that claim. For example if 7 times more Visa data was taken than MC data, the fines make sense.

Also, the LAST thing we need is another independent governing body. This would be a huge waste of time and resources.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20925
PUBLISHED: 2020-11-24
An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects: MongoDB Inc. MongoDB Server v4.2 versions prior to 4.2.1; v4.0 versions prior to 4.0.13; v3.6 versions...
CVE-2020-5641
PUBLISHED: 2020-11-24
Cross-site request forgery (CSRF) vulnerability in GS108Ev3 firmware version 2.06.10 and earlier allows remote attackers to hijack the authentication of administrators and the product's settings may be changed without the user's intention or consent via unspecified vectors.
CVE-2020-5674
PUBLISHED: 2020-11-24
Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
CVE-2020-29002
PUBLISHED: 2020-11-24
includes/CologneBlueTemplate.php in the CologneBlue skin for MediaWiki through 1.35 allows XSS via a qbfind message supplied by an administrator.
CVE-2020-29003
PUBLISHED: 2020-11-24
The PollNY extension for MediaWiki through 1.35 allows XSS via an answer option for a poll question, entered during Special:CreatePoll or Special:UpdatePoll.