Last week I blogged about seven restaurants filing a lawsuit against Radiant Systems after the recent breach. (Radiant Systems Sued Over Data Breach - Million$ $ought)
Here's some more on the subject: The overview below is from Wired and the analysis is from Avivah Litan, distinguished analyst at Gartner...
"Seven restaurants have sued the maker of a bank card-processing system for failing to secure the product from a Romanian hacker who breached their systems.Continue Reading at Wired
The restaurants, located in Louisiana and Mississippi, have filed a class-action suit against Georgia-based Radiant Systems for producing a point-of-sale (POS) system that they say was not compliant with payment card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen.
The suit alleges that the system stored all of the data embedded on the bank card magnetic stripe after the transaction was completed — a violation of industry security standards that made the systems a high-risk target for hackers. Also named in the suit is Computer World, a Louisiana-based retailer, which sold and maintained Radiant’s Aloha POS system."
Meanwhile, Gartner has published an analysis of the Radiant Systems/ComputerWorld breach and ramifications thereof:
Lawsuit Highlights the Hidden Risks of PCI 'Compliance'
A lawsuit serves as a reminder that card-accepting businesses can be held liable for Payment Card Industry security compliance failures, even when they have been told their vendors or service providers are fully compliant.News Analysis
Event
On 23 November 2009, a law firm representing seven restaurants in Louisiana and Mississippi announced that it has filed a class-action lawsuit against Radiant Systems, an Alpharetta, Georgia-based maker of point-of-sale (POS) systems, and Computer World Inc., a Scott, Louisiana-based POS system distributor. The suit alleges that Radiant Systems and Computer World sold the restaurants Aloha POS systems that were incorrectly described as compliant with Payment Card Industry (PCI) related security standards, despite having been informed by Visa that they were not. The suit further alleges that these systems and related poor business practices contributed to major data security breaches that resulted in multiple cases of identity theft and some of the restaurants being fined by credit-card issuers or required to submit to forensic audits.Analysis
Gartner is not a law firm, and makes no judgment as to the merits of this or any other lawsuit. However, these allegations — whether or not they are ultimately upheld in court — point to serious, long-standing problems with the PCI compliance process. Card brands such as Visa and MasterCard typically send alerts about noncompliant products or services to their member banks, not to card-accepting businesses and other direct purchasers of these technologies. For this reason, it is unfair for the card brands and processing companies to penalize end users who are unaware of problems with the technology. POS system purchasers — particularly small businesses — cannot be expected to be experts in the credit card processing certification process, especially when they don’t necessarily have access to the communications surrounding the process.Merchants are ultimately responsible for validating vendors' and service providers' claims, but the card brands should implement proactive awareness programs when they know that vulnerable payment technologies are in active use. They should also provide standard contract language that card-accepting businesses can insert into contracts with vendors or service providers to ensure that their products or services are compliant with PCI-DSS or PA-DSS, and that forces the vendors or service providers to assume liability for breaches resulting from deficiencies in their hardware, software or processes.
Recommendations
Card-accepting businesses:- Ensure that your payment application suppliers or service providers are listed on Visa's rosters of certified providers (see http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html and http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf). (Note: The PCI Security Standards Council will take over maintenance of these lists after the first quarter of 2010.)
- Demand in contracts with these technology suppliers that they remain PCI- or PA-DSS compliant throughout the life of the contract, and that they assume liability for any breaches of customer data that occur because of security holes in their software or services.
- Communicate alerts directly and proactively to card-accepting companies, and issue guidance to these companies on how to manage contracts and liability issues with technology and service suppliers.
Recommended Reading
"Where Does End-to-End Encryption for PCI End?" — U.S. payment processors are introducing proprietary end-to-end encryption services to their retailer customers in an attempt to strengthen security for card data in transit. By Avivah Litan
"Using Tokenization to Reduce PCI Compliance Requirements" — “Tokenization” of cardholder data can be used to reduce the scope of PCI compliance audits, but the available products and services are still limited and immature. By Avivah Litan and John Pescatore
(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)
"Using Tokenization to Reduce PCI Compliance Requirements" — “Tokenization” of cardholder data can be used to reduce the scope of PCI compliance audits, but the available products and services are still limited and immature. By Avivah Litan and John Pescatore
(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)