Navigation

Should a QSA and the Merchant be held liable for security breaches! LOL Seriously!

Jul 27, 2015

The below is an exerpt from the article written by Mathew Schwartz on the Target breach and subsequent lawsuit against the merchant and their QSA!!
Of course, that liability arrangement used to work both ways. "When PCI first came out, Visa and MasterCard used to give merchants 'safe harbor' from penalties in the case of breaches when the breached merchant was PCI compliant. But they eliminated that safe harbor right after the first big breach," Litan said. "When I asked Visa to explain, they told me, 'The merchant must not have really been PCI compliant if they got breached. And perhaps they didn't give their assessor all the information they needed to properly audit their systems.'"

But that circular reasoning raises this question: If that's how Visa views PCI compliance, and if card brands and banks have failed to invest sufficient resources to strengthen the payment card system, should Target or Trustwave be held liable?

Well...ask yourself this question...why do the Card Brands still use card numbers for their credit cards. Chip card could eliminate the need for outward facing card numbers. So ask yourself why the Financial intitutions took so long in instituting EMV...it is still not fully adopted in the United States and other partS of the world because of its extreme cost implement. Mag stripes on cards are open invitations to criminals.
Because Financial institutions and the Card brands own the card numbers, who is ultimately responsible for protecting their interests...Wouldn't, Shouldn't it really be the Card Brands/Banks themselves who are responsible for their own card numbers and any fraud loss.

Ask yourself...if you as a Card brand created a security requirement program like PCI and PA-DSS and didn't enforce it across all merchants and service providers so that every employee is educated and trained to basic security and social engineering as it pertains to their departments...If you didn't as the owner of the card numbers follow through on your own program protection enforecement...wouldn't it be logical that the owner of the card numbers be responsible and the buck stop with the actual owners of the card numbers?

In my opinion the buck stops with the Financial Institutions and the Card Brands themselves. We don't need card numbers to conduct financial transactions now...We haven't for a long time!

So why do card numbers still exist on credit cards when they can be so easily stolen and create such lucrative revenue streams for criminals....hmmmmmmmm!!

PREVIOUS POSTS
Jun 04.15 | The Right Dose of Exercise for a Longer Life By Gretchen Reynolds

read more

May 04.15 | Providing urgent care for animals in need in Nepal Earthquake: worldanimalprotection.ca

read more

Apr 27.15 | Donate now for NEPAL disaster relief to Humanitarian Coalition and Wateraid

read more

Apr 27.15 | Canadian government to match donations to new Nepal earthquake relief fund - @CityNews

read more

Apr 15.15 | Input Sought On Crowdfunding Bill Of Rights By Mark Hrywna - April 10, 2015

read more

Dec 09.14 | Finally....Good news that Visa is finally going to tighten their enforcement of PCI DSS!

read more

Dec 08.14 | Crowdfunding - Multi-small gifts by people to fund one large project! by Michael Johnston of HJC

read more

Nov 26.14 | Seriously, PCI councils v.3 12.9 requirement!!! Are you kidding me!!

read more

Nov 10.14 | November 11, 2014...Remberance Day! ”Just a Common Soldier,” a poem by Lawrence Vaincourt

read more

ARCHIVE