What you don’t know CAN hurt you
As I was hanging out in a local bar here in Denver this weekend (I could probably start out all my posts like this) I got to talking with the Bar Manager about his credit card processing. He told me that he uses Heartland Payment Systems, at which point I brought up the breach they had last year. He had heard nothing about it. Now I don’t expect him to keep up on the latest security threats and happenings, but I would’ve thought that Heartland would send him a letter saying “Hey, we got breached but you’re ok” or “Hey, we got breached and all your data is stolen” or “Hey, we suck. Go find another processor”. Nothing. They never let him know anything about the breach, his card data, his customers, their future, nothing. I immediately pulled out my iPhone and wiki’d Heartland and showed him the info. Long story short… he’ll be switching processors.
This brought us into a conversation on PCI though. He had heard about it, but didn’t know what it meant, how it affects him, what he needs to do about it, etc. I asked him a few simple questions. Do you store cardholder data? Do you send data over the Internet? I explained to him that he is a Level 3 merchant and he needs to fill out an SAQ and have quarterly network scans done by an ASV. He didn’t seem too concerned about it saying, “Yeah, I’ll deal with that later”. I quickly threw out some numbers that a breach could cost him if he doesn’t deal with PCI compliance.
- $3-$10 per card for replacement costs
- $5000-$50000 (or more) in compliance fees
- $8000-$20000 for forensics auditing
- Around a week of not accepting credit cards during the forensics
Overall, he’s probably looking at a minimum $100,000 if some script kiddie gets into his network and compromises data. That’s enough to shut down his business. That got his attention pretty damn quick.
This got me to thinking about other comparable regulations that someone like this guy has to comply with and why PCI is not really taken seriously. Fake ID’s are a great comparison. I’m also friends with the doorman at this bar (Yes, I hang out there way too often). My friend that runs the bar takes fake ID’s very seriously and has trained his staff to spot fake ID’s and they have zero tolerance for anything suspicious. Getting busted for accepting a fake ID would cost my friend around $1000. Compare that to $100,000 and look at the level of seriousness he takes on both issues. Something isn’t adding up here.
Who’s to blame for merchants not understanding PCI and the benefits/ consequences associated with it? I’ve got to point the finger at the credit card companies and the PCI Security Standards Council. They need to educate their merchants on these issues. From what I’ve seen, the credit cards companies push these issues onto the processors, the processors push them to the ISO’s, the ISO’s push them to the merchant. You know the old saying “sh*t rolls down hill”? That seems pretty fitting here!
Something needs to change.
…josh
Josh, It would seem to me that either his acquiring bank or processor would be the one to get the necessary info to him. I know that for companies that I've worked for in the past that were required to be PCI compliant the acquiring bank was in regular communication with us. But I'm sure that Heartland was just too busy with ensuring security with end to end encryption to notify their customers. Yeah, like that's gonna work.
Hahaha, good point Andy. I was just surprised that he knew NOTHING about it. Try selling end to end encryption to him!
Yep, gotta agree with Andy. The card brands are just mirroring the channel which the fines follow; they don’t fine the merchant, they fine the acquirer. As you said, down hill.
But speaking of fines, it still feels like card brands and banks alike are trying to deal with this the 80/20 way. To get rid of 80% of the breaches, handle the biggest 20% of the merchants. Deal with the rest later. The acquirers and card brands really don’t have enough resources to deal with the level 3 and 4 merchants, so they focus on the big fish and hope that significantly reduces the number of records lost. I’ll even make a bit of an assumption and guess that MasterCard’s back pedaling on the enforcement against Level 2s by the end of 2010 is due to the reality of reviewing 800 Reports of Compliance (most of which, let’s admit, would have been put off until the last few months of the year).