PCI Safe Harbor? In Your Dreams, Breach Boy

Written by Evan Schuman
March 28th, 2008

If there’s one thing that can be said about CFOs, they love their absolutes. (No, not the vodka. Well, not for all of them, at least.) They love absolute assurances that if they do X-and-Y, they’ll be protected against Z.

They like to buy liability insurance, buying into the line that shareholder assets will then be safe no matter what that boneheaded new Operations VP does in a year. They like Poison Pill plans, believing their lawyers that it will prevent them from ever being taken over.

And, most recently, they are simply ga-ga for those who say that a PCI compliance letter means they are in a magical safe harbor, where they can do anything with their security that they want and be utterly immune from liability.

Like the embassy staffer who commits violent crimes behind the diplomatic immunity shield, only to find his government turning him over to the home country, there is hardly any absolute immunity, certainly not when it comes to retail security and the U.S. legal system.

This is becoming an issue because of the continuing fallout from the Hannaford breach of 4.2 million payment cards and the merchant’s position—apparently buttressed by copies of a sanitized PCI compliance report that it’s taken to showing people—that it was PCI compliant at the time of the breach.

Setting aside the arguments we made last week about what PCI compliance does—and, more importantly, doesn’t—mean, this issue involves whether PCI compliance shields a retailer—puts them into a legal "safe harbor"—as to any losses that result from that breach. Some media reports—such as this one from Computerworld–are suggesting that a PCI compliant letter is indeed some Superman shield against lawsuit kryptonite.

The truth is that such safe harbors don’t exist. Clearly, a retailer defending against data breach costs would rather have a PCI compliant certificate than not. And TJX—which was about as non-compliant as a merchant could get—fared quite well in its legal battles, even reversing a Visa fine.

But PCI compliance merely refers to one point in time. For most Level Ones, that’s a brief point in time once a year. Do those CFOs actually believe that they can take a PCI compliance letter, frame it and stick it on their wall and then have cart blanche for 10 months to engage in whatever reckless security move they feel like, utterly immune from any resulting damages?

In the Hannaford case, much is still unknown. What if it’s established—and I should stress that I have seen absolutely nothing to indicate this is the case—that the PCI assessment was performed improperly? What if the assessment was performed properly, but Hannaford answered the questions in an incomplete, misleading or otherwise erroneous way?

Let’s take it to the next step. Assuming that the assessment was done properly and that—for the sake of discussion—Hannaford was truly compliant with the letter and the intent of PCI at the time of its assessment, what if Hannaford officials started violating PCI procedures an hour after the assessment was completed? What if one of those PCI aberrations was a direct cause of the breach? Should those officials still be held blameless, merely because they were technically PCI compliant?

Here’s where things get really interesting. Let’s say that, theoretically, Hannaford complied with PCI by encrypting data when it was being transmitted over the Internet but what if the data was accessed as it was moved–unencrypted—through an internal network, which was one of the problems with TJX. Officially, that particular act was not in violation of PCI requirements, but if it was the cause of the breach, should Hannaford officials in that scenario be held blameless? What if hypothetically many retail security experts testified that the conduct was reckless, even though it was not forbidden by PCI? Are CFOs to believe they will be held blameless regardless of whatever facts are established?

PCI compliance shouldn’t—and, in my opinion, likely won’t—provide this absolute legal protection being touted. The intent was always that if a retailer could establish that they consistently did everything they could have done—and should have done—properly in terms of data protection, that they would then have their liability severely limited. That makes sense. But to project that on a once-a-year declaration of compliance from one assessor based on fragmentary examination of a single point-in-time—working with an imperfect list of interpretable guidelines—is little more than ludicrous.

In short, rely on this safe harbor promise and you might find your safe battleship is named Titanic.


2 Comments | Read PCI Safe Harbor? In Your Dreams, Breach Boy

  1. Walt Conway Says:

    I believe Visa provides a merchant “safe harbor” if they are compliant at the time of the breach and the merchant’s compliance was validated before the breach. The important thing is the “at the time of the breach” part. One quote that stuck with me from the PCI Community meeting in Toronto was “you are only one system change from being non-compliant.”

    You point out that one-time compliance does not guarantee safe harbor. I’d expand that to include: validation does not guarantee compliance, and compliance does not guarantee security. There is no such thing as 100% security…so much for “Breach Boy” easy answers to complicated questions…

  2. Steve Sommers Says:

    While “validation does not guarantee compliance, and compliance does not guarantee security,” the opposite is true:

    breach = !secure = !compliant = $fine


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.