Archive for March 24th, 2009


After The Breach

As the old TV show Dragnet always started, “The following story is true.  Only the names have been changed to protect the innocent.”  This is a situation that the PCI SSC will need to get control of quickly or this will be another big black eye against the PCI standards.  It is not that I am against the process; I am against a process that does not make business sense.  This scenario is about a small business, but I have been through this with large businesses as well and all that happens is the costs skyrocket exponentially and blame gets assigned.

What we have is a franchisee of a fast food chain in a major metropolitan area.  This franchisee is the quintessential small businessperson with three locations.  Small businesses make up over 90% of all businesses in the United States, so this scenario is highly likely to happen again and again.  Fast food is a comfortable existence, but as F.W. Woolworth said, you make your money one or two pennies at a time.

One day our franchisee receives a call from their credit card processor indicating that one of the franchisee’s facilities has been involved in a data breach.  The processor identifies the source of the breach as one of the franchisee’s stores located in the downtown area.  Not only does the processor know the exact location, they also know that a card skimmer is involved.  The processor goes on to tell our franchisee that the amount of the breach is $5,000.  Then the processor informs the franchisee that under their merchant agreement they need to select one of three PCI-approved forensic examiners to conduct an examination to isolate the breach.  Therefore, our intrepid franchisee goes shopping for a forensic examiner.

Our franchisee contacts the three well-known forensic examination companies they were referred to and is essentially told the same story by each.  Its $25,000 up front to start the examination and the forensic examiner will tell them when to stop writing checks.  Since under the merchant agreement, there is no choice, the $25,000 fee is paid and the forensic examiner comes on site.

After conducting a preliminary examination of the facilities computer systems and interviewing employees for three days, the lead examiner tells our franchisee that, they cannot find any initial evidence that points to either tampering or misuse of the facility’s computer systems or that any employees are skimming cards.  The examiner then says that a more thorough and detailed investigation of the computers systems are called for and a more thorough interrogation of employees is justified.  Oh, and another $10,000 please.  Another check is written and the process continues.

After about two weeks, the investigation comes to a screeching halt.  It seems that a convenience store next door is the actual site of the breach according to the card brand.  Seems that the night clerk and some of his ‘associates’ had tampered with the ATM.  Sorry to have been so much trouble.  Please write us a check for our remaining fees and expenses (around $15,000) and we will be gone.

My first problem with this whole situation was that the breach was never alleged to have occurred at the fast food restaurant.  The processor was totally convinced that the franchisee was the cause of the breach.  That later proved to be false when no evidence was produced and another culprit was identified.  Nevertheless, at the time, there was no way to prove the allegations otherwise and the processor really did not care.  Therefore, merchants beware, in the event of an alleged breach; it appears you are guilty until proven innocent.

Second on my list of injustices is the processor’s unwavering commitment that the franchisee was the root cause of the problem and that they knew the cause of the problem.  There was likely some evidence to support skimming of cards due to the type of fraudulent transactions that were occurring.  However, based on my experience, there is a big difference in volume between a doctored ATM and a person with a skimmer.  That ATM was likely generating a lot more traffic than our franchisee’s single location and that information should have been available to the processor with the right data analysis.  That said, the processor totally missed the culprit in the breach.  In my experience, it is extremely rare that a processor or even the card brands can tell the exact location of a leak.  Their fraud detection/prevention systems are good, but they are not that good.  There are usually three or more potential suspects in any breach.  Therefore, merchants, when you get that call that you are the source of a breach, be skeptical.

Third, what businessperson in their right mind spends $25,000 up front on a $5,000 problem, let alone the $50,000 in total that ultimately got spent?  I can tell you that the card brands and processors will not spend that kind of money, they will reimburse the cardholders for their losses and move on.  That $50,000 was almost five months of profits for this operation.  Apparently, the forensic examiners attended the Bernard Madoff School of Business when it comes to their fees.

Finally.  The card brands are all pushing for more and more transactions, even transactions in the $1 to 2$ range.  They want everyone to use plastic instead of money.  However, these forensic practices will kill that effort if small merchants are under the constant threat of incurring huge costs should they ever even be accused of a breach.

Moreover, it is not just merchants, processors and other related entities that process, store or transmit cardholder data come under these forensic process as well.  So what should be done to fix this out of balance situation?  Here are my thoughts.

  • Just because a breach has occurred and an entity MAY be the source does not mean that they ARE the source.  An entity is innocent until proven guilty, not the other way around.  A basic investigation needs to be performed to get the facts straight and rule suspects either in or out of any further investigation.  In my opinion, these initial costs should be born by the entity initiating the investigation.  If the facts warrant further investigation, then the initial investigation costs for that entity being further investigated should be borne by that entity.
  • Entities under further investigation should have the right to recoup their costs of the investigation if they are ultimately cleared of being the cause.  Whom they recoup those costs from is up for debate, so I will leave that for the lawmakers, lawyers and courts to decide.
  • The entity that is ultimately proven to be the source of the breach should bear all of the costs of the breach.  Yes, this will likely put most small business out of business, but someone has to be responsible.

As I said in my Carrot and Stick post, the card brands and their processors need to take another look at their ‘Big Stick’ approach and come up with more carrots to get people to do the right things.  By implementing these three bullet points, I think there is a lot of incentive to get more organization to comply with the PCI standards.  It is all in the approach.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2009