Restaurant Challenges US Bank and PCI DSS after Seizure of Funds

Thursday, January 26, 2012

Andrew Weidenhamer


An interesting lawsuit has been filed by a Utah-based restaurant against US Bank after US Bank seized money from the restaurant for, US Bank claims, failure to protect cardholder data.

Owners of Cisero’s Ristorante allege the bank forces merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that the bank imposes random fines on merchants based on what seems like arbitrary numbers without providing a sufficient method to dispute fines:

A Complicated Challenge

This lawsuit is the first to really challenge the PCI Data Security Standard.

However, I would argue it isn't as much about challenging the PCI DSS as much as it is about challenging what appears to be a lack of notice within contractual agreements with acquiring banks as well as the methods used to impose fines on merchants.

Focus on Consistency

I definitely agree there may be some underlying issues, especially with regard to the consistency of the fines passed down by Card Brands and Merchant Banks alike. The Card Brands definitely need a method to their madness by creating some sort of formula/algorithm based on past actual damages/losses for breach of cardholder information.

Obviously, I’m assuming a method such as the one mentioned does not currently exist, which, within Cisero’s counterclaim, appears to be the case. In addition, merchants need to have a way to be able to dispute claims against them, and acquiring banks need to ensure that any changes within contractual agreements are clearly communicated to their merchants.

A Strong Case in the Face of Ignorance

So with all that said, I honestly believe Cisero’s Ristorante has a strong case and, in the end, will be able to retrieve some of the seized money, primarily based on the same reasons organizations get sued for “unfair practices.” However, I do believe there are some pretty ignorant statements made in this article.

First and foremost:

“It’s just like Visa and MasterCard are governments,” said Stephen Cannon, an attorney representing the McCombs. “Where do they get the authority to execute a system of fines and penalties against merchants? That’s a very important issue in this case.”

VISA and Mastercard are private organizations. No one is forcing merchants to accept these credit cards. Merchants choose to accept VISA and Mastercard because, from an overall business perspective, it makes sense. Cisero’s Ristorante basically claims that in order to compete, they had to enter into a merchant agreement.

This may be so, but in the end, they ultimately CHOSE to accept credit cards. In other words, no one forced them to sign that agreement with US Bank. When a breach occurs, the Card Brands do incur financial impact. To assume anything else is a bit ridiculous.

If the Card Brands experienced no sort of financial impact AT ALL with regard to breach of cardholder information, there would be no reason to pass down fines to Merchant Banks. Even if you consider no actual damage or loss to the Card Brands in the event of a breach (which I believe not to be the case), it still takes resources from the Card Brands to deal with a potential breach situation.

Either way, it’s the right of the Card Brands to pass down some of the liability to Merchant Banks, whom ultimately pass down liability to their merchants. This makes sense and is seen in many more cases than simply the PCI standard. Upward contractual obligation is not a new term and is certainly not unique to PCI compliance.

The problem in this specific case, among many other things, is the fact that 1) No breach of cardholder information was determined by two different forensic companies and 2) the number of unique accounts used to invoke Visa’s Account Data Compromise Recovery (ADCR) process may have been inflated when reported to Visa.

Secondly, the below comment:

“The McCombs assert that the PCI system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties. Visa and MasterCard impose fines on merchants even when there is no fraud loss at all, simply because the fines “are profitable to them,” the McCombs say.”

This is a pretty bold statement without many qualifying comments behind it. The PCI DSS isn’t perfect, we all can agree with that. However, without PCI, organizations wouldn’t do anything at all to secure cardholder data. How do we know this? We know this because in 2008, it costs organizations on average $2.8 million to become compliant with the PCI DSS.

Does anyone really think it would have cost organizations this amount of money if they would have simply been implementing security best practices as soon as they made the business decision to accept our personal information? I mean, the PCI DSS isn’t even in line with what is typically considered security best practices.

The second reason we know this, is because companies are choosing to do nothing with regard to Privacy right now, even on the verge of looming comprehensive U.S. Privacy legislation.

For this same reason, it will cost organizations a significant amount of money in 3 to 5 years when comprehensive privacy regulation is passed within the U.S. (Although probably not as much as PCI, as rest assured, there will be lobbyist sitting on Capitol Hill arguing about how difficult it is to adhere to a new privacy regulation.)

Plus, how can one assert that there is no “fraud loss at all”? Is it possible that we don’t actually know the extent of the breach yet? It can take a couple of years after a cardholder breach for the attacker(s) to start using the breached credit card information in a malicious manner.

Why is this? Because it helps to cover up the breach and where it occurred. After a certain number of years, it’s hard to track where the stolen credit card numbers came from.

Again, many people want to pick on the PCI. However, compliance mandates are necessary to force organizations’ hands in doing something with regard to protecting our information. There does, however, need to be a more consistent fine structure, and merchants should be able to execute their right to argue any fines passed down to them.

Transparency Needed before It’s Too Late

To summarize, although the PCI DSS is a necessary evil, so to speak, in this specific case, I actually do side with Cisero’s Ristorante but only because of the aforementioned reasons.

There simply is not enough transparency right now with regard to PCI fines, and Merchant Banks are not doing a good enough job enforcing contractual requirements on their merchant, until after it is too late.

Possibly Related Articles:
Information Security
fraud PCI DSS Privacy Compliance Visa Banking MasterCard Lawsuit breach Merchants Andrew Weidenhamer ADCR
Post Rating I Like this!
Ray Pesek While I normally emphatically agree with the "You signed the contract. Now do what you said you would do." statement, I'm not so sure it's as valid with payment cards as it is with other areas.

I've been waiting for someone to challenge the major card companies as being a monopoly or conspiring to act as a monopoly. Because the cards are so prevalent as a payment vehicle, to me it's kind of like saying "No one forced you into putting in a telephone" when there was only one phone company. (Yes, yes, I know I'm showing my age.)

When you only have one choice or when the choices are substantially the same, I'm not so sure a monopoly does not constructively exist.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.