Retailer Liability to Banks for Credit Card Data Breach
Minnesota's pioneering PCI legislation, HF 1758 (Plastic Card Security Act) requires payment card merchants to reimburse the costs of financial institutions when they replace compromised cards. A colleague of mine at the SANS Institute, Joshua Wright (wireless security instructor), sent me a question. Here's Joshua's question, and my reply:
[begin quote from Joshua]
[Concerning an essay published by SANS]: in the section "Altering the Ecosystem", you stated:
"H.F. 1758 bluntly states that a merchant may not retain certain card data, such as a card,s security code and the full data from the card's magnetic stripe. It further provides that if a merchant does retain such credit card data, and that leads to a breach of a card's security, then the merchant must reimburse the financial institution that issued the card for the reasonable costs incurred to avoid damage."
My question is surrounding the wording "... and that leads to a breach of a card's security". Is it stated in H.F. 1758 that the storage of the data has to be a contributing factor that leads to the breach of the security of the system? I read this as stating that vulnerabilities in the organization's security are directly caused by the storage of this data, and that furthermore, it implies that the motive of the attacker compromising the resource was to retrieve this stored information.
IANAL, but I think this would give a defense attorney an easy-out for their customer, simply by showing that the attack was opportunistic, or that the attacker could not have known that the protected data was stored in the organization's network.
Consider the case of the Lowe's attack with Timmins and Botbyl. They used a weak wireless configuration to access the Lowe's network, and eventually planted packet sniffers to collect CC information. This could be argued as being an opportunistic attack, and that Lowe's is not responsible for any bank charges since the storage of the credit card information did not directly lead to the breach in security.
I may be bending words here, but I'm hoping you can clarify your perspective. Note that I am not asking for legal advice, just your interpretation of the bill so I can communicate this to my students.
[end quote from Joshua]
Thanks for your good question. HF 1758 is poorly written, and my summary of it does not precisely reflect the ill-chosen words of the legislation.
Subdivision 2 of HF 1758 basically says a merchant is forbidden from retaining a credit card security code or credit card mag stripe data. Next, subdivision 3 says that if a merchant does retain the forbidden data, then, in essence, the merchant is in the class of what I'll call dis-favored merchants under the legislation. Further, subdivision 3 says that if a merchant in the dis-favored class suffers a breach of security that compromises personal info, then that merchant must reimburse the costs incurred by a bank to protect the information of its cardholders.
Notice that the legislation does not say the breach of security has to compromise the forbidden data (card security code or mag stripe data) in order to trigger the special obligation to reimburse banks. One might reasonably interpret the legislation as requiring the breach to affect the forbidden data, but the legislation does not explicitly so require.
Hence, the direct answer to your question is no, the storage of the forbidden data does not have to be a contributing factor to the breach in order for the bank to achieve extra-ordinary rights of reimbursement.
Here is why I think HF 1758 is poorly written. Suppose Wal-Mart has a single malfunctioning point of sale device in a store in Mexico that mistakenly stores the forbidden data from a single card. The implication is that, due to this single faux pas, Wal-Mart as an entire entity is a dis-favored merchant under HF 1758. Then, suppose Wal-Mart suffers a breach of security in a regional data center servicing the upper Mid-West (including Minnesota). The breach of security affects personal information of credit card holders. The result is that Wal-Mart (a member of the class of dis-favored merchants) must reimburse the costs of banks that cancel cards as a result of the breach -- even though reimbursement is not required under the contracts and standards negotiated among players in the credit card industry. And Wal-Mart's special requirement to reimburse arises because of a single, insignificant blunder in Mexico that has nothing to do with the breach of security in the Mid-West data center. Thus the punishment to Wal-Mart seems to be disconnected from and out of proportion to the mistake (storing forbidden data from a single card in Mexico).
Update: HF 1758 was an over-reaction to the TJX break-in. See more of my analysis of that over-reaction.