Hacked retailers up in arms over $13 million 'fine', Visa lands up in court

Hacked retailers up in arms over $13 million 'fine', Visa lands up in court

Summary: Visa is being hit with a lawsuit after retailers decided to fight penalties imposed by credit card companies for data breaches.

SHARE:
TOPICS: Security
35
keyloggingimage
Credit: CNET

Multi-million dollar business Visa is being taken to court by retailers who are less than happy with the imposition of penalties after being victims of cyberattacks.

Visa is being accused of "punishing" retailers and merchants who find themselves scrabbling to contain data breaches and repair systems compromized as hacking targets. The lawsuit, filed last week in Tennessee by Genesco and first reported by Wired, means that the sports retailer is one of the first to file such a complaint against a money processing system. The lawsuit is centered on self-regulated PCI security standards, which require networks that cope with financial transactions to take particular steps to secure such data -- and if these are not met, result in stringent penalties.

The court documents (.pdf) state that Genesco protests the fines imposed by Visa of $13,298,900 as the parent company of over 2,400 stores in America and Europe considers the fines "wrongfully imposed and collected."

At the end of 2010, Genesco admitted its systems had been breached, stating that the system which copes with payment processing was "hacked," and that the details of particular cards may have been compromised. In addition, the retailer stated that immediate action had been taken to contain the threat, which had come only days after MasterCard and Visa were hit with cyberattacks in relation to preventing donations to whistleblower website Wikileaks.

Both Visa and Mastercard went after Genesco and its connected merchant banks, which resulted in overall fees of over $15 million centered around the idea that the companies were non-compliant with Payment Card Industry (PCI) standards to allow such breaches to take place.

Packet-sniffing software was found on Genesco's network but no evidence was ever discovered to suggest credit card details of individual customers were stolen. However, the fines imposed were not only for noncompliance, but also operating expenses and to cover "the cost of fraudulent charges made to the accounts," according to Wired.

Genesco maintains within the filing that it did not breach PCI standards, which in this case, relate to the storing of card data without ensuring proper safety measures are in place. In addition, the firm says that as servers are continually rebooted and overwritten, the company "did not even suffer a possible theft of cardholder data with respect to many of the accounts cited by Visa" within its original penalty.

The documents also point out that merchant banks are not meant to be liable for the recovery of fraudulent transactions unless an "account compromise event" results in the theft of at least 10,000 accounts, and the level of fraud is more than usually accounted for with Visa card use.

Due to this, Genesco's bid to take Visa to court in the landmark case alleges that Visa has broken its own self-regulatory rules by imposing such fines under Californian law. We are yet to see whether Mastercard will be next to have a court summons relating to cyberattacks left on its doorstep.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • Nothing like mix metaphors.

    'Lands Up' - what is that? I heard of 'Lands in' but never 'Lands Up'. If ZDNet want real writers give me a call.
    codeguy007
    • Don't forget 'Centered around'..

      Can't tell you the number of times I rea the phrase 'centered around' in Zdnet articles. Should be 'centered on'.
      oraman
      • I read

        Again, the subject says it all!
        Dameadows
      • No

        The Oxford English Dictionary has both (centre on/around)
        Kwaghmenger
      • Sorry to burst your bubble

        but I've heard the phrase "centered around" several times in professional settings as in "centered around the concept of XXX" But that's okay, you small minded trolls keep right on concentrating on the grammar and keep missing the point that Visa is fradulently charging companies it does business with.
        athynz
        • Sorry to burst YOUR bubble...

          ...but all credibility is lost when the headline states "...lands up in court". This means to me that the article is written in a less-than-professional manner & that the scribe (not to mention the editor) is less than professional. How can I believe anything mentioned in the article when a simple phrase cannot be used properly? It's the 80/20 rule - 80% of the people are morons when it comes to writing &/or speaking properly, while there are really only about 20% of us who actually "get it"!
          rmazzeo
      • May I repeat?

        For those of you that may have missed it, May I repeat: "About Charlie Osborne
        LONDON-BASED medical anthropologist Charlie Osborne is a journalist, graphic designer and FORMER TEACHER.' As we say here in NEW ENGLAND: "Tis betta to keep closed mouth and be thout a fool than to speak and prove it!!!" Nice article Charlie!!!!
        puppadave
    • Mixed or Mixing metaphors

      Subject says it all!
      Dameadows
    • "Lands up" is fine

      Hi :)
      It is proper English and is widely used on this side of the pond.

      I thought the contents of the article was more interesting than trying to poke holes in the petty issues. Why pick on the ladies here when the chaps are often far worse? With regards to petty issues like that i think this was probably the best article i have read on ZdNet in a long time. It flowed much more naturally.
      Regards from
      Tom :)
      Tom6
      • Which side of the pond

        Over here, UK, it's ends up or lands a.

        This is another bas(e)tardisation of good old english!
        Little Old Man
        • Ignore the (e) obviously, like the filter

          n/t
          Little Old Man
    • Except for ignorant grammar nazis

      'real writers' who don't know much about language are always depressing. 'Landing up' is a perfectly acceptable turn of phrase; originally it referred to the practice of ships or boats making landfall by the simple expedience of running aground on a convenient beach. Likewise, 'centred on' is actually a more precise term than 'centred around', which is idiomatically acceptable but logically incorrect.
      Xennlander
  • cool it guys...

    that's just British talk, there is nothing wrong with it. in fact I think 'Lands up' seems more in line with the context of the story.
    bvahedy
    • Lands Up

      it's just an expression for ends up, but with an underlying negative connotation to it, applicable in this case due to the PCI breaches.

      The over all way to improve security for Card Payment is to implement additional security like Chip and PIN, and move away from MagSwipe. C & P is in widespread use in Europe. It's not 100% perfect, but effectively deals with the majority of issues.
      neil.postlethwaite
      • Also in Australia

        Here we have a pretty broad base of chip cards and readers, the biggest preserve of swipes still seems to be Amex (and even they may change on the next card issue). PIN numbers for credit cards have become almost the norm, signatures seem to be the preserve of the older generation (no disrespect), many of whom are less comfortable with PIN's.
        We also have an increasing base of "PayPass" and other NFC style payment devices. Most supermarkets and McDonalds stores, amongst many others, now offer this facility up to an imposed maximum transaction value, typically $30-100.
        In my recent visits to the US, credit cards are all signature-based and I had to show ID on almost every transaction.
        joneda1
  • Huh?

    Why shouldn't the retailers be fined heavily for non compliance? I think that they should also get fined for charging a different credit and cash price.
    cmwade1977
    • That's the 13 million dollar question

      According to Genesco they were in compliance.

      From the article: "Genesco maintains within the filing that it did not breach PCI standards, which in this case, relate to the storing of card data without ensuring proper safety measures are in place. In addition, the firm says that as servers are continually rebooted and overwritten, the company "did not even suffer a possible theft of cardholder data with respect to many of the accounts cited by Visa" within its original penalty."
      athynz
      • Thats an incorrect definition of PCI

        Not sure whether it was PCI standard at the time but now PCI is quite proscriptive on the things which should done
        the.nameless.drifter
    • Reply to credit and cash price question...........

      When someone uses their card, the seller immediately loses between 0.6% - 1.8% of the sale price, in charges from the card provider. Then there is also the ongoing monthly cost of of the terminal that can vary around the $39:00 AU a month mark.
      Here in Australia, it is quite legal to charge the customer to recover the costs of them using a card. Large penalties apply if you are found to be over charging.
      Personally, I think we should all go back to cash. Do any of you remember when we used to get paid our wages in cash? You would put aside the money for food, beer, rent, petrol, etc. and then you would go to the bank and deposit the rest. The banks were very greatful for you banking with them. Now all your money goes straight in electronically and they want to charge you every time you try to access it.
      Why Knot
  • Scrabbling? Really?

    The author writes, "retailers and merchants who find themselves scrabbling to contain data breaches". Attempting a phonetic spelling of the word Scrambling shouldn't result in a made-up word like Scrabbling...are the merchants trying to piece together words from seven tiles?
    wagne045