Point-of-Sale Breaches Bring Out the Law
A recent POS (point of sale) breach has created a wakeup call for manufacturers, suppliers, and users of POS services.
Last week, a district court in Louisiana ruled that seven restaurants in Louisiana and Mississippi can proceed with their case against the providers of a POS system that allowed Romanian hackers to steal the credit card details of its customers.
The breach has already cost the restaurants involved tens of thousands of dollars in reimbursements and added charges from the credit card companies.
The suit, originally filed in March, is against Radiant Systems, which produced the Aloha POS systems bought by the restaurants; and Computer World, a local retailer that sold the systems as being fully compliant with the latest Payment Card Industry (PCI) standards. Visa allegedly warned both Radiant and Computer World back in March 2007 that the Aloha POS system in question was not compliant, because it stored transaction data in the magnetic stripe.
The major credit card companies introduced the PCI DSS (Data Security Standards) compliance requirements to safeguard systems from hackers and to protect customers from the risk of identity theft. Businesses are contracted to use PCI DSS compliant equipment and software -- with penalties imposed on retailers whose systems are breached.
But this is where the problem lies, as it is the retailer that's fined for any breaches that occur, not the system seller or maker of the systems that were breached.
In this case, as usual, the credit card companies invoked their contracts to directly penalize the restaurants after the breaches. The restaurants were forced into reimbursing the cost of the fraud to the credit card companies, paying for new cards for affected customers and for the forensic tests to find the root of the problem.
The scale of the breaches across Louisiana and Mississippi led to a United States Secret Service investigation, in which forensic tests revealed that Radiant and Computer World violated PCI compliance on several counts, including passing off old models of POS machines as the most up-to-date models available; using un-patched remote access systems; using the same password for at least 200 different outlets; and failing to remove sensitive customer data before installing a POS system.
Also fanning the conflagration surrounding the present lawsuit is the news that insurance companies representing both the suppliers and the restaurants, which for various legal reasons cannot yet be named, are now locking horns. However, preliminary assessments indicate that neither the restaurants nor the suppliers are covered for losses due to non-compliance.
One thing: The need for POS systems may soon be a thing of the past. Twitter inventor Jack Dorsey proposes to turn any mobile phone into a credit card machine by means of a small “square” that plugs into the audio input jack. The buyer simply signs with a fingerprint.
Devices such as these may be the way forward; but then again, we have seen the first iPhone virus emerge, so this may simply herald new problems.
Anyway, until we have a secure alternative, it is essential that current systems be safe from breaches. It seems only reasonable that when the sale of an item is based on a false claim, the seller should be called to account, and not the buyer and user of the product.
Perhaps cases like this and the recent coupon fraud reports are indications that there is a sea change underway: Finally, a voice representing the small businessman and the average consumer may be heard in the courts. Suppliers, beware!