By Art Lieberman
For several years, we have been writing articles and conducting webinars about the processing card industry’s data security standards (PCI-DSS) and how they impact on all merchants, making campgrounds aware of what they must do to become and remain compliant. Just a week ago, Paul Bambei, president of the National Association of RV Parks and Campgrounds, asked us if we would record one such webinar for the ARVC website. We will be doing that shortly.
Briefly stated, every merchant that accepts credit cards MUST complete a yearly questionnaire and attestation of compliance for the PCI-DSS. In the case of my company, we have an actual tab on our website which takes the merchant to the PCI questionnaire and attestation of compliance and, after completion, issues a “certificate of validation” which can be posted somewhere in the campground informing campers that the campground’s credit card transactions are secure.
Whether or not a merchant IS compliant, should his data be breached or hacked by someone, the merchant and the processing bank are subject to fines which range from $50,000 to millions of dollars depending upon the amount of customers whose data was stolen. Our company actually offers our customers an indemnification for up to $50,000 if their data is breached after completing certification.
But now, two companies who suffered breaches are challenging Visa about fines which have been imposed upon them. In a complaint filed March 7 in the U.S. Court of the Middle District of Tennessee, and in a case filed in 2011 in Utah, both Genesco, Inc., a sports retailer in Tennessee, and in the earlier case, Cisero’s Ristorante, Inc. of Park City, Utah, both claimed that no industry regulations were violated and therefore the card companies had no reason to assess fines.
Genesco claims that according to PCI-DSS security protocols and “consistent with longstanding and pervasive industry practice, the payment card data required for approval of a mag-stripe-swipe transaction is permitted to be transmitted in unencrypted form during the transaction approval process.”
Genesco further stated that thieves did not gain access to stored data and that there is no forensic evidence that any information on their computers were compromised and because it lost no stored data it is IN COMPLIANCE with the PCI DSS and therefore, not subject to fines. Genesco claims that the non-compliance fines are not authorized by Visa’s own Visa International operating regulations (VIOR), according to their complaint. Genesco claims it paid $13,298,900.16 in assessments and fines directly or as a result of indemnity it has with its acquiring banks, Wells Fargo and Fifth Third Financial Corp.
Cisero’s claims it was assessed fines for an alleged data breach in the amount of $1.2 million in fraud losses which were allegedly attributable to the theft of unprotected data from the restaurant’s computer system. However, Cisero’s claims it paid two independent companies for forensic audits both of which failed to find that any card information stored in its system had been breached. Cisero has counterclaimed against its acquirer Elavon, Inc. who is suing Cisero’s to recover $82,000 in fines imposed after upon them after a card company investigation deduced fraud losses DID stem from the Cisero’s computers.
Cisero’s attorney, Steve Cannon, of the law firm of Constantine Cannon is one of the law firms that negotiated the $3 billion antitrust settlement for some national retailers with Visa and MasterCard Worldwide. Constantine says that both the Genesco and Cisero claims are similar in that both charged the VIOR are not enforceable and the fines are invalid.
But Cisero is going after the acquiring bank while Genesco is skipping the banks and going after Visa directly, according to Cannon. He also notes that the Cisero claim is older and therefore farther along and that case’s decision may have an impact on the Genesco case, rather than vise versa. Cannon is also curious as to how Visa calculates fine assessments. Cannon may feel that the fine amounts are arbitrary.
These two cases seem to represent the only time when imposed fines by the PCI have been challenged in court.
Once again, we remind our readers that MCPS for Campgrounds has a FREE webinar on PCI compliance which they may view LIVE on demand by contacting us and scheduling the a time and date which is convenient to them.