Genesco Lawsuit Could Shake PCI Compliance Regime To Its CoreIf courts were to reverse $13 million in fines levied by Visa against the retailer, it could take a lot of wind out of PCI's sails
As the security industry digests the news that for the first time a merchant is taking a major card brand and its payment processor to court over PCI noncompliance fines, speculation has started to fly about the long-range impact the case could have on the PCI compliance ecosystem.
On its face, the $13 million complaint from Tennessee-based retailer Genesco against Visa seems like pretty standard business litigation. But according to some, the suit has the potential to disrupt PCI's influence in the merchant community.
"It really doesn't look on the first account to be a very big case, but it's the first retailer that kind of goes up against the establishment," says Torsten George, vice president of worldwide marketing, products, and support for Agiliance. "If the court would decide to reverse the penalties imposed on Genesco, it would really shake the foundation of the PCI Security Standards Council to its core."
[How efficient are your compliance practices? See 7 Routes To Reducing The Compliance "Tax".]
Last week, Genesco petitioned the court in Tennessee to order to reimburse the company for more than $13.3 million in penalties collected on behalf of the card brand by payment processors Wells Fargo And Fifth Third Financial Corp. following a 2010 data breach at the sports retailer. The heart of the case revolves around Visa's contractual language about what constitutes noncompliance for the sake of the levying of fines. In its suit, Genesco contends that it was in compliance with PCI rules at the time of the breach.
Some security experts have little patience for Genesco's quibbling, arguing that the firm should divert resources away from the courtroom and into the data center to improve its security program. "This lawsuit strikes me as a little ridiculous," says Tim 'TK' Keanini, chief research officer for nCircle. "Genesco would be far better off spending those legal fees on a more effective security program so they can better protect their customers in the future."
According to Keanini, PCI as a standard sets the minimum level of security for regulated merchants pretty low. He doesn't agree with George that the case will have much of a long-term affect on PCI, but he says it should offer some warning to insecure but QSA-approved organizations.
"I seriously doubt that this lawsuit will have any impact at all on the standard, but it should be a cautionary tale for all merchants," he says. "You can be PCI-compliant and still be breached -- it's time for everyone to step up their security game or suffer the consequences.”
Some experts point out that the root cause of conflict in this case isn't necessarily about the security standards themselves, but in how the card brands and payment processors choose to inflict financial penalties due to noncompliance and breach events.
"This is a PCI contract dispute," says William Hugh Murray, an information assurance executive consultant, trainer, and associate professor at the Naval Postgraduate School, who says the courts are around for just this kind of clash. "This particular dispute arises, in part, because the payment processors deduct their 'fines' from the revenue they collect for the merchant. The merchant has to sue the payment processor to get his money back rather than the processor having to sue the merchant to collect the fine. There is a presumption in favor of the payment processor built into the system."
In fact, a number of controversial storms has been brewing over payment processor and card company financial repercussions around PCI. For example, George notes that many within the security industry have grumbled at the lack of standards in the way penalties are levied against breached or noncompliant companies.
"You can see if you read through the case, MasterCard assessed over $2 million in penalties, and Visa went out and said, 'Well, we are going to charge you more than $13 million,'" he says, "so it's obviously subjective."
And those are just the fines levied by the card brands through their acquiring banks or processors as a consequence of a breach. There is also the controversial matter of monthly PCI noncompliance fees charged by payment processors against small to midsize merchants.
According to Alan Shimel, co-founder and managing partner at The CISO Group, the revenue stream generated by these fees is the dirty little secret of the PCI world. Averaging at between $10 to $30 per month, but sometimes creeping up to as $100 per month per noncompliant merchant, the fees are often viewed as a cost of doing business by many smaller merchants that haven't yet bothered to invest in security. While the ostensible idea behind the fees is to convince these firms to get with the program, the revenue model creates a perverse disincentive for processors to push them to do so, Shimel says.
"You could say that not only is there not an incentive to get these smaller merchants compliant, but that these processes are financially disincentivized to do so," he says. "Even if you were to say only 40 percent of the millions of small merchants out there were noncompliant -- and believe me, that number is probably a lot higher -- if you multiply that by $20, $30, or $40 per month, that's millions of dollars a month that these processors are making on those fees."
According to George, one of the best outcomes of the Genesco case would be if it would spur the creation of an independent governing body that would assess PCI compliance and the penalties associated with it. Though the PCI Data Security Standards Council does a lot to maintain the integrity of the standard itself and the certification of Qualified Security Assessors, the brands and processors are left to decide the fate of noncompliant organizations in their own way.
"Maybe this case causes Visa to change its mind and say, 'this causes bad publicity for us, so maybe we have to tweak our regulations more, maybe we set up an independent review board that looks if there was a breach,'" George says. "The board could consist of merchant representatives. and they're the ones that determine what the penalties are."
Regardless of the effects of the Genesco case, the landmark lawsuit is definitely a symptom of a much-needed shakeup of the PCI enforcement process and potentially the need for card brands and acquiring banks to share in the pain of their merchants, says John Pescatore, director of emerging security trends at the SANS Institute.
"I don't know the chances of this lawsuit succeeding, but the card brands and the PCI enforcement process do need a shakeup," he says. "While the merchants do and should always bear the brunt of the costs when they are at fault for an exposure incident, the enforcement process seems to almost invariably shield the card brands and the acquiring banks from any of the PCI compliance enforcement pain."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.