“Caution – the delicious beverage you are about the consume is extremely hot!” – Where PCI may take us
Blogger: Diana Kelley
The TJX “computer intrusion”, first reported in December of 2006, set off serious alarm bells and repercussions for entities that store and process credit cardholder information. Card protection standards are not new, but it was the TJX intrusion that ratcheted up the compliance heat significantly.
As is often the case, when an industry is deemed to be unable to regulate itself, lawyers and lawmakers stepped in. Lawyers lost no time in filing suits against TJX (details on most of these can be found in the TJX March 28, 2007 10K filing and lawmakers weren’t far behind. Minnesota passed the Plastic Card Security Act in June of 2006. And other states, including Massachusetts and California have similar bills under review.
The lawsuits, and the current and proposed state laws, are significant because, for the first time, payment for damages would be paid by the entities deemed responsible for the data loss. Specifically, the cost to card issuing entities, such as banks, would be remunerated for costs incurred in the course of notifying affected consumers and issuing them new credit cards. Cost per consumer/card vary, but is commonly reported as being between US $12 and $15. Note that the consumer damages for lost credit card information is a different issue. Although no consumer wants to hear that their credit card number is being used fraudulently, the actual dollar amount of damages is low. Consumer liability for fraudulent use of a credit card is capped at $50 dollars, but it is rare that an issuing bank makes the customer pay even this amount.
Now, here’s the fun part – being PCI compliant doesn’t let the entity that lost the credit card data off the hook. Compliant entities that lost data are still responsible for having lost that data. If the lawyers arguing for the prosecution can convince a judge or jury that retailer A really is liable for the damages the cost could be financially devastating. If, for example, TJX had to pay for card replacement costs for even one quarter of the card numbers lost settlement would be around US $135million (45000000/4*12). How many retailers, even large ones, could absorb that kind of loss?
But let’s flip the case around - in the TJX instance there was relatively a clear path from the TJX databases to the fraudsters. But it won’t always be so easy to close the loop. Just because PANs 1-100 were stolen from retailer A – it doesn’t prove that the fraudsters using PANs 1-100 got them from retailer A. If a single source of resale of PANs 1-100 can be found – it would be easier to draw the line between the two. But what if credit card sellers get smart – add more layers between those who steal the PANs and those who sell them and also mix batches of available PANs from different thefts? This would benefit the thieves by making it harder to pin a specific theft on a group of people – but it also could benefit the retailers who may claim that there’s not enough hard evidence that the breach of PAN data from their database is the reason those PANs were for sale on the open market. And a smart defense lawyer will know this and argue this point.
So what’s the solution? Is there one? Being PCI compliant can decrease the risk of losing card data, but doesn’t eliminate it. And it doesn’t provide protection against lawsuits or legal violations. And all the risk protections in the world, can’t guarantee data will never go missing. Yet retailers and banks are going to look for ways to protect themselves. Which is why I’ve been thinking we might start seeing this on the doors to stores that accept credit cards: “Consumers be advised use of credit cards could lead to loss of credit data – use at your own risk.” And have to sign an agreement with our issuing banks that states: “Credit card use may lead to loss of credit data, if your card information is lost you will be charged a $15 replacement fee per card.” Heck, the fraud monitoring services could even tack on an extra $20 per year for “free” card replacement.
Granted, playing up the security of credit cards is something the industry has done for a long time, but consumers are hooked now. And addictive substances that come with warning labels don’t stop use. The beverage you are about to consume is extremely hot and the credit card number you’re about to use may be lost. Proceed at your own risk.
