Recent Security Breaches Show ISO’s Must Be Ready

Authorities continue to investigate credit card theft of people who attended conventions at the Boston Convention & Exhibition Center in October 2013 and November 2013.  Originally, authorities believed the theft affected about 300 attendees; now, authorities estimate hundreds more had their credit card information stolen.  Restaurants, hotels, and bars located near the convention center all deny that the hackers breached their computer systems for the information.

Last week in Texas, authorities arrested two individuals caught with 96 counterfeit credit cards allegedly linked to the series of Target’s data security breaches in late 2013.  In those breaches, it is believed that hackers could have stolen every Target customer’s financial information gathered between November 2013 and December 2013.  The exact sources of the breaches are unknown at this point; but, Target’s POS system could be one area of focus.

These separate events are an example that hackers are doing more and more to penetrate ineffective security measures to illegally seize consumers’ personal financial information from any source.  To prevent hackers from illegally acquiring consumer information from POS systems, the major card brands created the Payment Card Industry Data Security Standards (PCI DSS).  If a merchant’s POS system is not compliant with the PCI DSS, then the impact can be crippling as we have recently seen.  Damages for Processors, ISOs or merchants failure to comply with PCI DSS minimum standards include, but are no0t limited to, fines up to $500,000 per data security breach incident, fines up to $50,000 per day for non-compliance with published standards, and liability for all fraud losses incurred from compromised account numbers.

For ISOs, a merchant’s non-compliance with the PCI DSS puts them at risk for the same penalties a merchant can face.  In October 2013, a court held an ISO and a third-party IT company responsible for damages related to inaccuracies in the PCI DSS self-assessment questionnaires given to their merchants.  The loose procedures to evaluate merchant PCI DSS compliance resulted in hackers stealing data from nearly 25,000 payment cards, damages in that case exceeded $500,000.  ISOs are increasingly being held responsible for oversight on their merchants’ activities and will increasingly be required to pay for ignoring merchants’ PCI DSS non-compliance while processing under through them.

The lesson for ISOs here is that the time has come where a well-documented process that effectively monitors merchants’ PCI DSS compliance is now a requirement.  Adding a penalty fee to a merchant’s monthly statement but allowing them to continue processing transactions in an intentionally risky or grossly negligent manner is not enough.  ISOs should immediately suspend any merchant’s processing account once it has knowledge of non-compliance with the PCI DSS and require that merchant to follow the suggested compliance protocol.  Every ISO should make sure to review its PCI DSS procedures annually and find experts that can help eliminate all risks.

Article by: Adam O. Stone, Esq., Associate Attorney