This is page 2 of:
A Breached Chain Needs To Remember Its Shoppers Are Victims, Too
The initial merchant whose POS terminal may have been hacked also sees itself as the “victim.” After all, someone broke into the store, stole valuable data, and used it fraudulently. The merchant may or may not have secured the POS terminal properly????, but in most cases relied on the POS vendor to have delivered what they thought they had purchased: a PCI-compliant POS terminal. Merchants also bear the costs of remediation, notification, compliance and fines.
The POS vendor sees itself as the “victim” because its terminal was attacked by bad guys, and the attack may have been precipitated or enabled by an unwitting merchant who improperly failed to remove, say, default passwords from the POS terminal, or failed to configure it in a PCI-complaint manner. So the POS vendor cries foul.
The cardmember’s issuing bank sees itself as the victim, as it is at least initially stuck with the chargebacks from the large store and seeks to recover these funds from someone. The cardmember’s bank also bears the costs of processing the chargebacks, re-issuing the credit cards and conducting the fraud investigation.
The large merchant also sees itself as the victim. Someone came to the store (or website) with a stolen credit card and walked off with a bunch of gift cards or an LCD TV.
The recipient of the gift card may also see themselves as a victim, especially if the gift card is payment for some other debt or obligation. If the gift cards are canceled or revoked, the recipient may be out money as well.
So we have lots of people and institutions crying foul, and a consumer looking for someone to blame.
This is where the law and reality diverge somewhat. The law places liability on the party that was “negligent” or that breached a contract (the PCI DSS agreement), which in this case is likely the initial merchant. But the consumer may or may not blame that particular merchant – especially if that merchant is a small merchant with whom the consumer has a personal relationship (the local bookstore, the hardware store, the doctor’s office, the corner deli.) No, the consumer may blame the cardbrand or issuer, or the big-box store (Walmart, are you listening?) for furthering or facilitating the crime against the consumer.
And this is where merchants can fight back with a well-managed incident response plan which includes Open Source Monitoring (OSM), fraud detection and response, public relations and consumer affairs, and trained customer service representatives who see their job as protecting the customer.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
