Three years ago, sporting goods retailer Genesco joined the ranks of 90 percent of American businesses who have been breached by hackers. The reason the incident is only coming to light now is that Visa accused Genesco of not complying with PCI standards – jeopardizing the credit card data of its customers – then charged the company's two merchant banks $5,000 for each instance of noncompliance and $13.3 million to cover fraudulent charges.
The problem is, Genesco doesn't believe any data was exposed, which has lead the company to file a first-of-its-kind lawsuit against Visa that has again brought to light questions about PCI compliance.
Ultimately, PCI compliance is a requirement for the merchant because they are the ones entrusted to secure customer data. If Genesco did not comply with regulations and, as a result, caused a number of its customers to have their data stolen, why would it not be on them? Had the company taken proper steps to protect its data more securely – perhaps by installing card processing software that better protected customer information – the breach may have never occurred and the lawsuit would have been unnecessary.
An article in the online publication CSO Online addressed this issue and detailed the fact that very few industry insiders had sympathy for merchants in these sorts of incidents. The underlying consensus is that vendors should be held accountable in these instances.
PCI compliance experts spoke with the news source about the Genesco incident and indicated that they did not believe the sporting goods retailer had a strong case. John Kindervag, an analyst with Forrester Research, suggested that Genesco must have really been in the wrong for Visa to even take action against them.
"Generally, the card brands do not levy these type of fines unless there's an egregious non-compliance problem and a data breach," Kindervag said. "As a former [qualified security assessor], someone who did this for a living, ultimately this is all about money. I don't know about this plaintiff, but a lot of companies don't want to spend any money protecting credit cards, and that's why PCI came about."
Perhaps therein lies the root of the issue. The effort it takes to attain PCI compliance and maintain that position can be costly, so some companies decide not to do it. However, as seen in this case, that can lead to even bigger problems and more costs down the road. It's best for vendors to take proper steps to ensure they are PCI compliant, as that can go a long way toward providing legal protection later on.
Understanding the role each party plays in a data breach
An article in Wired recently covered the Genesco incident and shed some light into the relationship between each party surrounding customer information, perhaps coming to the defense of the merchant. Kim Zetter, the author of the article, said it could be argued that the motivation behind fines imposed by credit card companies are more in relation to profiting organizations like Visa and MasterCard rather than actually protecting the consumer.
"When a breach occurs, the card companies collect their fines from the third-party banks that process the card transactions, instead of the merchants, who have more incentive to fight the fines," Zetter wrote. "Third-party banks then simply collect the money from the customer's account or sue them for uncollected balances, using the indemnification clauses in their contracts to justify it."
Basically, vendors don't have much of a leg to stand on when a security breach occurs and there is very little support in their favor. That's why ensuring the protection of customer information is so important. Working with a credit card software provider will help companies obtain the tools needed to secure sensitive data.