Re: PCI roadblock?

[Jeffrey Walton <noloader () gmail com>]

On Mon, Jan 16, 2012 at 5:09 PM, Rob, grandpa of Ryan, Trevor, Devon &
Hannah <rmslade () shaw ca> wrote:
> Maybe not.  But this certainly is going to be interesting to watch.  As well as being
> a great point for the legal domain ...

Nothing surprises me from the banking and credit card industries
anymore. No evidence of a breach was found, yet the restaurant was
still fined. Then the banks claimed loss against the restaurant, so
the fines were increased and assets were seized. Amazing.

Jeff

...

In the wake of the alleged breach, Cisero’s, per rules imposed by the
payment card industry, was required to hire a forensic investigations
firm — from a list of six firms approved by Visa and MasterCard — to
determine if a breach had occurred and if the restaurant was in
compliance with the so-called PCI security standards that were adopted
by the Payment Card Industry Council in 2005.

The McCombs hired two firms, Cybertrust and Cadence Assurance. Both
examined Cisero’s point-of-sale system (POS) and servers and found “no
concrete evidence that the POS server suffered a security breach which
led to the compromise of cardholder data” and no evidence that
insiders had installed skimmers on card readers to collect account
data. Cadence in fact determined that no evidence existed that payment
card data of any kind was improperly taken from Cisero’s systems.

...

Visa determined that the total cost of the liability for Cisero’s
noncompliance was $1.33 million, but ultimately set the fine at
$55,000, without explaining how it reached these figures, the McCombs
claim. MasterCard stated that although it could have imposed a fine of
up to $100,000 for the violation of storing card data, it decided to
impose a fine of only $15,000.

The fines increased after card issuers came forward claiming they
suffered losses from the alleged breach. Under recovery programs run
by Visa and MasterCard, card issuers that have suffered losses due to
data breaches can recover these losses from the bank of the merchant
accused of being the source of the breach. So after RBS Citizens Bank
and Chase claimed they had suffered $13,849 in losses from fraudulent
charges to their customer’s accounts as a result of the alleged breach
of Cisero’s network, MasterCard added that to the fine, for a total of
about $90,000.
...
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.