A Tennessee-based footwear and apparel company has filed a $13 million lawsuit against Visa for what it considers random, subjective penalties for being out of compliance with the Payment Card Industry (PCI) standard the credit card company regulates.

Last week Nashville-based Genesco, which operates 2,440 retail stores such as Journeys and Lids Locker Room throughout North America and Europe, sued Visa U.S.A. Inc., Visa Inc. and Visa International Service Association to recoup almost $13.3 million levied against them following a 2010 data breach.

Since 2006, retailers in particular, but virtually anyone who accepts Visa, MasterCard, American Express, Discover and other major and minor credit cards, have been required to comply with 12 major data security requirements outlined in the Payment Card Industry Data Security Standard (PCI DSS). A council run by the five major credit card companies is in charge of compliance, and the standards apply to any  organization that stores, processes or transmits cardholder information. The standard was created in 2004 to improve controls around cardholder data for the purposes of reducing credit card fraud. Businesses were given two years to come into compliance.

Under the guidance issued by the PCI Security Standards Council (PCI SSC), a merchant is defined as “any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.” Such a broad definition includes everyone from retailers, restaurants and service stations to health care providers, educational institutions and even paper shredding companies. The level of assessment depends on how many credit card transactions are processed and if there’s a history of data breaches.

In 2010, Genesco was the victim of “a sophisticated cybercrime attack,” according to court papers available on Wired’s Web site, which was the first to report the lawsuit. Criminals installed a packet sniffer on Genesco’s networks to gather unencrypted card-swiped transactions during the authorization process. “Notwithstanding this circumstance, the PCI DSS not only does not prohibit, it actually expressly approved, unencrypted transmission of mag-stripe-swipe transaction approval data,” according to the court document.

Genesco claims thieves never accessed data stored within the company’s network, in part because Genesco rebooted its servers which overwrote any log files with sensitive cardholder data before hackers could accessed it. Nonetheless, Visa alerted all of its account holders who’d made a purchase at a Genesco store from Dec. 4, 2009 to Dec. 1, 2010 that their private data may have been compromised.

In May 2011, providers Fifth Third Financial and Wells Fargo, and in turn Genesco, were fined $13,298,900 for PCI DSS violations and expenses incurred over the breach and resulting fraudulent charges.

Both Visa and Mastercard fined the companies for a combined $15.6 million, but only Visa is named in the current lawsuit. In a January SEC filing, Genesco reported $2.1 million in legal and consulting fees related to the data breach.

Only one other related lawsuit has been reported in the United States, and that one involved a $90,000 legal dispute between a Utah restaurant chain and US Bank, which sued each other after the restaurant failed to secure its network and suffered a data breach that resulted in fraud and PCI penalties, according to Wired.

Categories: Compliance, Data Breaches

Comments (12)

  1. Anonymous
    1

    Not going to comment on Genesco case, but PCI are good guys here. Without large monetary penalities PCI-DSS would not be followed.

  2. Anonymous
    2

    “Notwithstanding this circumstance, the PCI DSS not only does not prohibit, it actually expressly approved, unencrypted transmission of mag-stripe-swipe transaction approval data,”

    smart move (PCI SSC). Geesh idiots in charge of data. Way to go PCI!

     

  3. Anonymous
    3

    PCI DSS stands for “The grand illusion of security”, or, “we won’t let you process if you are a total and complete moron”.

  4. Anonymous
    4

    Merchants are more and more preyed upon by credit card processors and banks.  Did you know your ‘reward cards’ penalize the merchanats for what the credit card reimburses you?  And that there’s no way to know a card is a reward card?  I started as a Merchan with Wells Fargo at one percent, and just got a form letter from them that they are going to take four percent almost … they think … for processing credit cards.  I have a totally perfect record for a decade. 

    These entities violate agreements at will.  I would love to sit on that jury!

     

  5. Anonymous
    5

    Even though it’s possible that the data was intercepted, PCI indicates physical security controls shall be in place to protect networks and storage devices. If an unauthorized sniffer is placed on the Genesco network, then Genesco is held liable. Seems that Genesco did not adhere to the PCI DSS for physical security controls to protect data. Also, PCI standards are not written in stone, and does not guarantee that a breach will not occur even passing a PCI DSS audit. A controls standard does not guarantee 100% success but only reduces the risks.

  6. Anonymous
    6

    Even though it’s possible that the data was intercepted, PCI indicates physical security controls shall be in place to protect networks and storage devices. If an unauthorized sniffer is placed on the Genesco network, then Genesco is held liable. Seems that Genesco did not adhere to the PCI DSS for physical security controls to protect data. Also, PCI standards are not written in stone, and does not guarantee that a breach will not occur even passing a PCI DSS audit. A controls standard does not guarantee 100% success but only reduces the risks.

  7. Anonymous is CPP, CISSP, CIPP, CISM
    7

    Good points. Any control can be circumvented over time and resources, but circumvention does not dismiss liabilities for lack of controls. PCI DSS does change their standard but it’s a document and execution is required for compliance, If execution fails, the document (standard) cannot be held liable the executor is liable. In your analogy, If a bank does not meet the minimum physical security standard, the bank can be held liable with fines per contractual agreement, even though the bank was robbed. PCI was created because the government was planning this action but the credit cards companies / banks got together first to create the PCI DSS. Maybe, the standard will be adopted by the government, or the government will take control of PCI DSS – who know for sure.

  8. Anonymous
    8

    I’d be surprised if the lawsuit against Visa held up – the caveat being that PCI assessments are performed by QSAs, who bring their own subjective viewpoints into the fold, and are ultimately the entities that are signing off on a company’s compliance efforts as having passed muster.  As everyone knows, PCI is simply a compliance framework, and adhering to it does not guarantee in any way complete protection from threats.  Of course, that also makes you question the validity and effectiveness of the PCI DSS itself, which itself is an entirely separate argument.

  9. rgrein
    9

    I think that says everything. Physical security controls may be adequate but still circumvented; PCI standards NOT being written in stone means they can change the rules at any time to their advantage. This is analogous to requiring physical security for a bank then levying fines when they get robbed.

    The real problem here is control. PCI should be standardized and controlled by a governement. As it is now the foxes are in charge of the henhouse.

  10. Anonymous
    10

    There are plenty of software based packet capture programs that could be installed on a PC with no physical access.

     

     

  11. Anonymous
    11

    I hate to say it, but controlled by the government will not stop anything either, and the government also charges for breaches of privacy data. Either way, I doubt anyone reading the article truly knows the full story here. I can see both sides, but the general concept of PCI is that Genesco is responsible for protecting cardholder data and did not. Similar to privacy data and the government. If an organization leaks privacy data, they will likely be fined.

  12. Anonymous
    12

    I can’t say I agree that government control is the right answer. The only reason I say this, is because PCI is a requirement across international boundaries. To make that even more of a sticking point, the U.S. federal standard within NIST doesn’t put much in stone. There are a lot of “recommendations” but little mandate. I simply do not see international boundaries coming down to mutually agree upon an international standard which would be set in stone. Even if you look at the NERC CIP guidelines for critical infrastructure, there is a good chunk which is not set in stone and the standard is fluctuating significantly enough from one version of the standard to the next, it is nearly causing an uprising over the government control. I liken that situation to the wolf just ate the fox, and is now blowing on the hen house.

Comments are closed.