An interesting but troubling article appeared this past week. A merchant is suing their processor and acquiring bank over a fine they were assessed for an alleged credit card breach. What makes this situation troubling is that the merchant had a forensic examination of their systems conducted and the results of that investigation were that there was no breach. Yet Visa and MasterCard said the merchant was the source of the breach because their analyses of transactions lead them to the merchant and that was enough to invoke fines and penalties.
What should rile merchants is a quote that comes from David Navetta, founding partner of the Information Law Group, who states,
“Most QIRAs (qualified incident response assessors) do not necessarily do a deep-dive forensic assessment. Rather, they do something more tailored to the task of confirming PCI compliance and validating the existence of a card breach. Unfortunately for merchants, we have found that some of the assumptions made by QIRAs in this context are often not favorable to the merchant.”
To be fair, there are two issues here. One is a breach of data and the other is compliance with the PCI standards. In regards to compliance with the PCI standards, if you were breached, what is the likelihood you were PCI compliant at the time of the breach? It does not take a rocket scientist to figure that out, let alone some QSA or PFI (PCI Forensic Investigator) coming in after the fact. In fact, even without any analysis, I would say that your compliance with all of the relevant PCI standards at the time of the breach was probably somewhere between slim and none.
However, this lawsuit points out an even more disconcerting issue with a cardholder data breach. What Mr. Navetta is pointing out is that any incident investigation initiated by the card brands under the PCI standards is going to focus on PCI compliance and not on whether or not the breach actually occurred. What a piece of comforting news that should be to merchants. The card brands know that you were not in compliance with the PCI standards, yet they go through the motions of an “investigation” just for appearances.
But the most troubling thing of all, and the point that should scare all merchants, is the indication that Visa and MasterCard did not even conduct an investigation into the breach and how it occurred. The article implies that Visa and MasterCard implicated the merchant based on an analysis of the fraudulent transactions. That transactional analysis led the card brands back to a common point, the merchant that filed suit. And as the following examples show, the card brands’ all knowing analyses are not always the entire story.
I can tell you from experience with some of our clients that this happens all of the time. A number of our clients have been involved in these card brand driven “witch hunts.” The card brands point the finger at a number of merchants because of the fact that the merchants all came into contact with the cards involved. Unless you have the wherewithal to prove you are not the reason for the fraud, you are the reason the breach occurred.
As an example, back in the ancient times when the Visa CISP ruled the land, we were involved in the forensic examination of a client that is a franchisee of a restaurant chain. Visa informed them that one of their restaurants was the source of a cardholder data breach. Their “evidence” was a report that showed their restaurant had come into contact with the cards involved in fraud. Their attorney asked Visa to explain how this analysis was proof that no other merchant could have been the cause of the breach? The attorney also asked if any other merchants had also come into contact with the cards in question. Visa told their attorney that it was proprietary information and that they could not share that information.
Since our client was getting nowhere with Visa, they asked us to conduct a forensic examination of the computers involved to see if a breach had occurred. While we found a number of improvements in security that should be made, we were not able to find any evidence of the card numbers in question on any of his systems that could have come into contact with the cardholder data. When presented with this information, Visa replied to our client and their legal counsel that it did not matter as their restaurant was the source of the breach. In the end, our client paid Visa the equivalent of a third of a year’s profit as their fine to resolve the situation.
As Paul Harvey liked to say, “And now, the rest of the story.” It turned out our client actually was involved in the data breach, albeit indirectly. Skip ahead a half a year at the same restaurant. One day the police walk in and arrest an employee for skimming credit cards. As the police continued investigating, it turned out there were two more employees that were also skimming cards. Did Visa apologize or return the “fine” they collected. Heavens no, our client was still guilty as far as Visa was concerned.
In another case only a couple of years ago, the same situation occurred. This time our client was a very large Midwestern retailer with a store in the same town where the fraud was occurring. When approached with the fraud analysis report, the retailer’s legal team ambushed Visa’s representatives and got them to admit that there were four other potential outlets that could also be the source of the breach. However, in retaliation, Visa implicated our client in the breach through various local media outlets. The retailer involved us in some due diligence regarding their PCI compliance and other potential issues surrounding the possibility they were the source of the breach. In the end it turned out that a convenience store in town was the actual source of the breach. The overnight convenience store clerk had allowed a friend to doctor the ATM in the store to skim cards. While Visa dropped their “investigation” with our client, they never once apologized for accusing our client of being the source of the breach or the inconvenience they caused with their “investigation.”
The lesson to be learned here is that the card brands are very heavy handed when dealing with a breach. While I understand their motives for this approach, I also feel it is also very one sided in the favor of the card brands. I know they are trying to protect their brand names. But in the end, such heavy handedness will only alienate merchants and, in the end, customers who use their cards to pay for goods and services.
It will be interesting to see how this lawsuit plays out.
UPDATE: Since posting this entry, I have had an opportunity to talk to a number of PFIs about this topic. While they would not comment on specific investigations, they have all stated that how investigations are conducted has changed significantly. While the card brands may still only be interested in PCI compliance, the investigations now typically cover everything regarding the breach: how it occurred, who was behind the breach and other relevant investigative topics. They also told me that they are finding themselves more and more in an adversarial position with the card brands over breaches that were not the fault of the merchant or the result of a merchant’s PCI non-compliance.
