Who’s responsible for the costs of credit card theft?
A recent article in Information Week briefly discusses last weeks reversal by a federal appeals court of a lower court’s order that credit card processor Fifth Third Bancorp did not have to pay for new credit cards for some cardholders whose data was stolen during a 2004 hacking incident at BJ’s Wholesale Club. The suit was originally brought by the Pennsylvania State Employees Credit Union.
Essentially it goes like this. In 2004 BJ’s Wholesale Club’s ineffective information risk management lead them to first, store customer credit card data that they should not have been storing, and secondly not provide even a modicum of security around it. Apparently the data was stored unencrypted, with default passwords, and limited or no monitoring. All of which allowed the customer credit card data to be stolen.
BJ’s settled charges with the FTC “that it failed to provide adequate security for its customer data” in 2005. BJ’s also recorded $10 million in related costs. In addition to the $10 million, under terms of the settlement BJ’s will implement a comprehensive information security program and be subject to third-party audits every other year for the next two decades.
PSECU, a card issuer who suffered $100,000 loss reissuing suing cards to its effected members, sued BJ’s and Fifth Third Bank in 2005. The credit union lost at the district court. The new ruling reverses the district court ruling and will allow Pennsylvania State Employees to continue with their case against BJ’s and Fifth Third Bank. The ruling found that even though the credit union was not a direct party to the contracts between VISA, BJ’s, and Fifth Third, it has third party beneficiary rights.
I can understand PSECU suing BJ’s. After all it was BJ’s inadequate security that led directly to PSECU’s loss. However PSECU is claiming 5/3 bore some responsibility for inadequately training BJ’s staff. It is completely beyond me why this is 5/3rds responsibility. Nevertheless, this ruling could have far reaching consequences in the payment card industry by effectively making card processors responsible for the sins of their merchants. It could possibly lead to changes in the PCI-DSS standards, to processor-required training programs, have insurance impacts, or even force processors into effectively “policing” the PCI compliance and information risk management practices of their merchants.
It will be interesting to see how the suit finally turns out.