PCI Goes to Court

Genesco has petition the courts to reimburse it for over $13 million in fines and penalties collected on behalf of Visa by payment processors following a 2010 data breach at the Tennessee-based sports retailer.  The heart of the case seems to center around contractual languageregarding what constitues noncompliance for the sake of levying fines and penalties.

While it is doubtful that the outcome of the court case will set the PCI standard back on its heels, it does have the potential to cause a minor tremor throughout the PCI community for a couple of reasons:

• The fine schema by the card processors for breaches appears (note word!) to be inconsistent.  As the article points out, Mastercard hit Genesco up for $2 million in fines for the same data breach that Visa asked for $13 million.  This may or may not be an indicator of the ratio of card numbers/accounts that were exposed.

• If Genesco can credibly demonstrate that it was, indeed, in compliance with the PCI-DSS at the time of the breach then it may (again, note word :) ) cause folks to awake to the notion that PCI compliance does not mean that an organization is secure.  If this happens, then retailers and merchants may question the validity of the standard only insofar as pertains to the fines and penalties levied by the card brands.  If this occurs, it could open the floodgates regarding more sharing of the pain around data breaches between merchants, payment processors, and the brands themselves.

Regardless of the final outcome, I look forward to seeing the volume of the debate begin to increase...assuming, of course, Visa doesn't read the tea leaves and decide to settle with Genesco in order to squelch the noise :) 

You can read the full article here.  Enjoy!