A looming challenge to PCI?
In an unprecedented move, a retailer is suing a major card network operator, Visa, over the fees that the card network collects as penalties for security breaches.
Wired reports that Genesco, the parent of more than 2,440 retail outlets in North America and parts of Europe, accuses Visa of "levying legally unenforceable penalties that masquerade as fines and unsupported damages and also accuses Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures for levying penalties and engaging in unfair business practices under California law, where Visa is based."
The suit highlights the grumbling that has long been muffled in the retail industry about the value of the PCI security standards.
There have been a smattering of other suits by retailers that target not the card networks but rather First Data, a card processing service, though the issues in these cases are quite similar. In another case in Utah, a restaurant sued the merchant acquiring bank, U.S. Bank.
At issue is the practice of Visa levying fees for PCI violations on companies that have been breached. These fees are automatically paid by the merchant acquiring bank, which turns around and collects the fee from its customer accounts, leaving the retailer out the value of the penalty, in this case, about $13 million, leading to lots of frustration.
If this snowballs into a mass protest of the PCI system as currently constituted, it will have big implications for card security and how the system is enforced.
- here's the article
Still lots of confusion around PCI DSS, virtualization