Subscribe to eSecurity Diva
 Subscribe via RSS Feed


 

« The Data Breach Paradox and Why You Should Still Do the Right Thing | Main | The PCI Council's Quality Assurance Program »

September 23, 2008

The Wacky World of PCI Fines

The card processor for a tiny Mexican restaurant, hit by robbers who stole a whopping 10 to 15 receipts with credit card numbers on them, was recently fined the equivalent of $83.50 for each card because the data was not properly secured.

Meanwhile, a recent forensics analysis showed that a larger Internet merchant was possibly breached because it was storing nearly 1,500 unencrypted credit card numbers. The fine for the same processor was $4.44 per card, even though the analysis showed no proof of a breach.

Then there’s clothing retailer TJX, which we all know about. The large Level 1 merchant, whose lax security practices led to millions of compromised records, reached a settlement of 64 cents per breached credit card with Visa and 83 cents per card with MasterCard.

Pci_imageSee anything awry here? I sure do. Ken Musante does too.

Musante, president of the processor charged in the top two fines—Humboldt Merchant Services—is lobbying for more clarification, transparency and consistency in the penalty process. There is often no rhyme nor reason in the penalties imposed now, he says in Digital Transactions, a monthly magazine that covers the North American consumer electronic transaction market. Additionally, the system unfairly penalizes processors and often takes so long that some breached merchants actually are out of business by the time the fines are levied.

His solution is that PCI forensics companies should keep a database of breaches and base network fines on that database and the following metrics:

  • The number of valid versus unencrypted cards compromised
  • The extent and amount of related information—such as expiration date and name—that were exposed
  • The extent and amount of prohibited information—such as magnetic-stripe data—that were compromised

Such a system would be more predictable and fairer, he says. In addition, these new guidelines would bring fines on quicker, Musante adds. It also could “hold the bank card associations more accountable.”

I believe him. The PCI fining system is pure chaos. As Forrest Gump would say, it’s like a box of chocolates. You know the rest.

Without a doubt, a more uniform and reasonable system is badly in need. If we expect more merchants to follow PCI security rules, the penalties for breaking those rules should at least be logical.

Posted at 02:54 PM in PCI Issues |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e551f086aa8833010534c1c737970b

Listed below are links to weblogs that reference The Wacky World of PCI Fines:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

propecia online

I like this text: "Then there’s clothing retailer TJX, which we all know about. The large Level 1 merchant, whose lax security practices led to millions of compromised records, reached a settlement of 64 cents per breached credit card with Visa and 83 cents per card with MasterCard..."

Posted by: propecia online | February 22, 2010 at 03:54 PM

The comments to this entry are closed.