PCI Law: Should retailers pay when they lose card data?

Is PCI-DSS (Payment Card Industry Data Security Standard) a Sufficient Standard of Care to Support Retailer Liability to Banks?

Credit Card Number Security Incident Response



The mechanics and theory of credit cards are so jerry-built that it is legally unfair to make merchants pay damages to anyone when credit card data leaks to criminals. The credit card system was not designed with the idea that merchants would need Fort Knox-style security to protect electronic information. It was only after the system became wildly popular that financial institutions (acting through the PCI) articulated heavy data security burdens for merchants.

It remains an open question whether the johnny-come-lately PCI rules are effective at protecting the credit card system. Even after a merchant spends lots of money becoming "PCI compliant," hackers can still break into the merchant and steal the little units of data (name, account number, expiration date, security code) upon which the system so heavily relies. That's not because the merchant is negligent or guilty of privacy crime. It is because commercial information systems are inherently vulnerable to modern hackers in search of discrete units of data like names and numbers that are used over and over and over again.

The credit card industry needs to invent new ways to authenticate people and transactions, and to place less emphasis on maintaining the confidentiality of data elements like name plus account number plus security code.

I have published more analysis on the topic of merchant liability for a credit card data breach.

--

Mr. Wright teach the Law of Data Security and Investigations at the SANS Institute