Re: Unnamed Acquirer Processor Breach Timeline, some additional confirmation

["DAIL, WILLARD A" <ADAIL () sunocoinc com>]

An important distinction, I think is issuing bank vs. acquiring bank.
Imagine the Visa interchange as a cloud in the middle of a page.  To the
right are the issuing banks.  They carry all of the liability for fraud
and their customers are the consumer, who uses the credit card.  They
make their money in interest and fees associated with the consumer's use
of the card.

To the left of the cloud is the acquiring bank.  Their customers are
merchants, who they sign up to accept credit cards.  These banks make
their money from transaction fees levied on the merchant.  Sometimes, an
entity can be both an issuer, an acquirer (or a gateway, service
provider, or any number of functional designations), but not always.


The breaches we're hearing about are on the acquiring or settlement
side.  The issuing banks don't usually participate in PCI DSS (unless
they are issuing cards from a BIN range owned by another bank as part of
a lease agreement) because they carry all of the liability.  It is these
banks that will sue the acquiring banks for the costs of fraud and
reissuance.

Sorry for the tangent, but context is always nice.

Andy Dail, CIPP, CISSP, CPISM/A
Information Compliance & Security Manager


-----Original Message-----
From: dataloss-bounces () datalossdb org
[mailto:dataloss-bounces () datalossdb org] On Behalf Of *Hobbit*
Sent: Thursday, February 26, 2009 8:42 AM
To: dataloss () datalossdb org
Subject: Re: [Dataloss] Unnamed Acquirer Processor Breach Timeline,some
additional confirmation

What seems likely to happen along with all this and future disclosures,
is lots of legalese flung about geared toward the credit outfits
weaseling out of the $50 maximum customer liability.  If it hasn't
happened already, I don't really follow the credit side of things.
But you can bet your own bottom dollar that the "safety guarantee"
I so often hear associated with plastic will be a thing of the past as
the fraud picture gets worse.

Maybe this will start to finally wean people *off* the damn things.

_H*
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data
encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks
transparently across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss

This message and any files transmitted with it is intended solely for the designated recipient and may contain 
privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in 
whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and 
delete the original and any attachments.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss