A recent news story tells of a Park City, Utah, restaurant that is questioning the right of its long-time merchant card processor to fine them for unproven data breaches. Fraudulent transactions totaling nearly $14,000 were blamed on a data breach at the restaurant. Although violations of PCI security standards were discovered within the restaurant’s point-of-sale system, no such data breach at the restaurant was ever proven. Nevertheless, VISA and MasterCard fined the restaurant’s card processor.
The processor then withdrew $10,000 from the restaurant’s account towards fines totaling $90,000. The processor is suing the restaurant for the rest of the fines. The restaurant is counter-suing, claiming that no breach was ever proven, that they never had a chance to defend themselves, and that they were never made aware of PCI compliance rules in the first place.
As this case continues, it will be interesting to see how it unfolds and what the consequences for the credit card industry will be. But for now, there are several hard lessons to be learned:
All merchants are expected to understand and comply with PCI security standards, even if their processor agreement was signed before PCI standards were available.
If a merchant is not PCI compliant, even suspected data breaches can result in fines.
Merchants have no opportunity to dispute claims before fines are taken.
Merchants are responsible for third-party software they use to accept payments.
The fines to merchants can be substantial and even greater than the actual loss.
The common thread here is that merchants have significant responsibilities to assure the safety of their customers’ card data. There are high penalties for a data breach when a merchant is not PCI compliant. Many merchants buy data breach insurance to cover the damages, and that is a very good idea. But it doesn’t solve the real problem and it doesn’t bring all the benefits that being PCI compliant would.
By being PCI compliant, merchants will gain trust from their customers (potentially increasing business), won’t be responsible for security breaches (eliminating fines), and may have lower processing costs. Beyond that, PCI compliance often requires a comprehensive approach to data security that can help with other regulatory mandates and improve operations in general. In a world where theft of personal data is of concern, everyone needs to do their part to protect it.
US English | Choose Country
