05 Jun How to prevent card data law suits from Visa and Mastercard
Chase Bank sues Landry’s for $20M over data breach
The only way merchants will take Payment card compliance seriously is when they realize Visa and Mastercard have more bite than their barks.
An interesting quote from the article:
JP Morgan Chase Bank is suing Landry’s for $20 million in costs related to a 2015 credit card data breach affecting several of the Houston-based hospitality company’s restaurants and entertainment venues.
Chase and its credit card payment processor Paymentech filed a breach-of-contract lawsuit Thursday in federal court in Houston, claiming Landry’s failed to comply with credit card data security standards and is refusing to reimburse the Ohio-based financial institutions for assessments imposed by Visa and MasterCard in the wake of the data breach.
Hackers in 2014 and 2015 compromised point-of-sale systems at more than than 40 Landry’s properties, including Bubba Gump, McCormick & Schmick’s, Rainforest Cafe and Saltgrass restaurants. In response, Landry’s hired a cyber security firm to examine its payment-card systems and implemented enhanced security measures for processing credit cards, including end-to-end encryption.
It is clear that this is what Landry ought to have done before the breach and if lessons are to be learnt, this is what you need to do to avoid a breach.
The elephant in the room is, how many businesses can exist without the ability to take card payments, i would say, very few in this day and age and this is really the issue.
At Paymentsandco.com, we keep shouting that Hospitality firms like Landry should implement this end to end encryption called P2PE as it is the only one that take card payment out of their networks.
Another interesting statement from the article:
Landry’s entered into a credit card processing agreement with Chase and Paymentech in 2008, according to Chase’s lawsuit. The agreement required merchants to comply with credit card security standards and reimburse Chase and Paymentech for any “assessments, fines and/or penalties” imposed by credit card companies for liabilities and the cost of reissuing new credit cards.
However, Landry’s refused to pay Chase and Paymentech for Visa’s nearly $12.7 million assessment and MasterCard’s nearly $7.4 million assessment, according to the lawsuit. The hospitality company argued in an April correspondence that it did not have any obligation to indemnify Chase and Paymentech for the assessments.
The above statement to me, makes it crystal clear that IF you as a merchant, want to take card payment, then the PCI DSS 3.2 rules apply, at Paymentsandco.com we go further to say, it is not just a matter of PCI compliance but rather, reducing the likelihood of a breach occurring and clearly this has to be done, per payment channel and per payment solution.
we once had client, whose Counsel once said we should not abide by Visa and Mastercard demands as they are an oligopoly. This is clearly laughable. Indicative of a Counsel that has no experience and will get the merchant into a lot more trouble. The best way to describe the situation is as follows, if the Visa and Mastercard, in terms of payment services are more powerful than the supreme court of the US, more powerful than The Presidency and Senate put together. If of these entities take card payment, Visa and Mastercard have the right to withdraw their services unless they comply with PCI DSS.
With that said, one can only imagine what was going through the mind of the Counsel for Landry.
Steve Scheinthal, Landry’s general counsel, sent the following statement to the Chronicle in response to Chase’s lawsuit:
“We deny the claims and do not believe that we have any liability to either Chase Paymentech or JP Morgan Chase. Visa and Master Card have wrongfully assessed Chase Paymentech who in turn is seeking reimbursement of these invalid assessments from us. Since Chase Paymentech’s business model relies entirely on those credit card brands, and since Chase Paymentech’s parent JP Morgan Chase would be the ultimate beneficiary of a substantial portion of the assessments if they are collected from Landry’s, Chase Paymentech would rather capitulate to the demands of the powerful credit card brands than stand up for its merchants by taking action to challenge Visa’s and MasterCard’s unlawful practice in imposing these assessments. We won’t stand for that and have retained the law firm of Ropes and Gray to defend Chase Paymentech’s claims against Landry’s and put a stop to this unlawful practice of Visa and Master Card.”
The above is clearly relying on the various PCI assessments that are carried out and at Paymentsandco.com we believe these are useless pieces of paper unless they can be supported by an assurance that there is a reduced likelihood of a breach.
This is one of the reasons why we have a unique business proposition to the market, we believe you cannot just say PCI compliance is simply a paperwork matter, we believe it is an architecture matter. If you are told you are PCI compliant and your payment channels have not reduced the likelihood of a breach occurring, you are NOT PCI compliant. You have just wasted your money to get a useless paper that is clearly meaningless.
I must say, the statement by this Counsel is quite naive to consider it capitulation that the lawsuit has occurred and the lack of experience in this field is remarkable.
Here are my predictions:
- Landry will realize that they will go out of business if they are unable to take card payment
- Visa and Mastercard will have to withdraw services from Landry and that will signal their demise
- Landry’s counsel will be reprimanded for lack of foresight into this sector and inability to appreciate the consequences of his action
- The amount demanded by Visa and Mastercard will be paid and in full
- It will emerge that every single compliance Landry has had in the past were fake or meaningless documents, they signed the paperwork without fully understanding the consequences
- The cause of the data loss will be found to be more on the merchant side than on the assessor’s side.
- It will be found that the management in Landry did not take compliance as seriously as they ought to and whilst making money from the business, refused to invest to protect. it.
- There is no coherent record of how the payment channels operated and the security per payment channel was weak
- If Landry proceed with the case, they would have effectively black listing themselves from the financial services market
- It makes more sense for Landry to settle this matter out of court, get a more sensible counsel and fix its PCI compliance once and for all, architecturally.