Archives: Payment Card Industry

Subscribe to Payment Card Industry RSS Feed

Deeper Dive: Merchant Liability Arising from Stolen Payment Cards

By Craig A. Hoffman on May 9, 2016 Posted in Incident Response, Payment Card Industry

For merchants, accepting payment cards is not really a choice. Many merchants, however, are unaware of how that “choice” subjects them to significant potential liability in the event payment card data from cards swiped at the point-of-sale is stolen from their payment network. Often casually (but incorrectly) referred to as “PCI fines and penalties,” the … Continue Reading

New PCI Guidance Provides Businesses With Security Incident Response Assistance

By Kathryn Mellinger on October 8, 2015 Posted in Data Breaches, Payment Card Industry, Retail Industry

A security event involving payment card data, especially card present data, can be one of the most costly events a company may face. Not only did a recent study report the average total cost of a data breach as $3.8 million, large payment card incidents such as those that occurred at Target and Home Depot … Continue Reading

FBI Issues Cyber Attack Warning to Retailers: Is Chip and PIN the Answer?

By Eric A. Packel on February 1, 2014 Posted in Payment Card Industry

The FBI’s Warning: Point-of-sale (POS) systems are under attack. In the wake of breaches at Neiman Marcus, Target and other stores over the 2013 holiday season, the FBI is now warning retailers to expect similar cyber attacks in the coming months. The warning came in the form of a 3 page report distributed to numerous … Continue Reading

ICYMI – Recording of Managing Cardholder Data Security Risks in an Evolving Payments Landscape Webinar

By Craig A. Hoffman on January 23, 2014 Posted in Payment Card Industry

BakerHostetler recently hosted a webinar that provided a look back on significant payment card security events that occurred in 2013 and the security, risk mitigation, and customer relations lessons that can be learned from them. The panelists also discussed what the continuing and emerging threats may be in 2014 and how to integrate security into … Continue Reading

January 15 webinar: Managing Cardholder Data Security Risks in an Evolving Payments Landscape

By Craig A. Hoffman on January 6, 2014 Posted in Payment Card Industry

Please join us from 2-3:30 pm ET on January 15 for a webinar that will provide a look back on significant payment card security events that occurred in 2013 and the security, risk mitigation, and customer relations lessons that can be learned from them. We will also discuss what the continuing and emerging threats may … Continue Reading

Class Action Plaintiffs Lack Standing under Clapper to Sue Barnes & Noble for Credit Card Data Breach

By Judy Selby on September 10, 2013 Posted in Data Breaches, Payment Card Industry, Privacy Class Actions

Editors’ Note: This blog post is a joint submission with BakerHostetler’s Class Action Lawsuit Defense blog. Relying heavily on the Supreme Court’s recent Clapper decision, a federal court dismissed a class action lawsuit arising out of a “skimming” data breach against Barnes & Noble (BN). In re Barnes & Noble Pin Pad Litigation, Case # 12-cv-8617 (N.D.Ill. … Continue Reading

Federal Prosecutors Indict Accused Data Thieves

By Michael Young on July 26, 2013 Posted in Data Breaches, Enforcement, Online Privacy, Payment Card Industry

Federal prosecutors announced yesterday the arrest and indictment of five men accused of involvement in the theft of over 160 million credit card numbers. According to prosecutors, thefts by this group involved some of the largest and most notable U.S. data breaches of recent years, including Global Payments, Heartland Payment Systems, Hannaford, and NASDAQ, among … Continue Reading

Cyber Criminals’ Menu Features the Food & Beverage Industry; Steps to Protect Your Business

By Judy Selby on May 24, 2013 Posted in Data Breaches, Payment Card Industry

2012 was a challenging year for the Food and Beverage (F&B) industry. In addition to increased government regulation, rising food prices and relatively slow growth trends, the industry once again was a favorite target of cybercriminals. According to the 2013 Trustwave Global Security Report, cyberattacks on F&B enterprises comprised 24% of attacks in 2012, second … Continue Reading

Massachusetts Follows California in Finding Retailers Vulnerable to Suit for Collecting Zip Codes in Credit Card Transactions

By Michael Young on March 15, 2013 Posted in Payment Card Industry, State Legislation

Earlier this month, the Massachusetts Supreme Court issued an opinion holding that zip codes “may well qualify” as personally identifiable information under the Massachusetts law controlling the treatment of PII in credit card transactions. The Massachusetts case echoes a 2011 ruling from the California Supreme Court which similarly held zip codes to be PII. Like the earlier California case, the … Continue Reading

Magistrate Recommends Dismissal with Prejudice of Claims Against Global Payments

By Craig A. Hoffman on February 20, 2013 Posted in Payment Card Industry, Privacy Class Actions

Global Payments, which processes credit card transactions, announced on March 30, 2012 that an unauthorized person gained access to a portion of its processing system. Global Payments later disclosed that Track 2 data (card number, expiration date, verification code but not cardholder name or address) of 1.5 million cardholders were taken. Three individuals brought a … Continue Reading

Do Merchants That Outsource Payment Processing Still Have Risk From a Breach?

By Craig A. Hoffman on February 11, 2013 Posted in Data Breaches, Payment Card Industry

Last week a small New England bakery announced that its point-of-sale (POS) devices were infected with malware that may have put card data at risk. The bakery’s letter to its customers stressed that it did not store card data on its computer systems, but the malware allowed an unauthorized person to gather card data as … Continue Reading

2012 Payments Systems Year-in-Review

By Craig A. Hoffman on December 27, 2012 Posted in Payment Card Industry

The interchange fee and the potential of mobile payments were the dominant payment system issues in 2012. From a landmark antitrust settlement to seemingly daily announcements of a new prepaid or mobile payment product, there was plenty of activity in 2012. However, following opt-outs and objections to the settlement, the rise-and-fall of new products, and … Continue Reading

UPDATE: If There is Credit Card Fraud, There Must Have Been a Breach

By Craig A. Hoffman on May 30, 2012 Posted in Data Breaches, Payment Card Industry

As we reported in December 2010, after an online merchant suffered chargeback losses of almost $12,000 on nine fraudulent orders, it sued the bank that issued the nine cards that were fraudulently used alleging that the most likely cause of the fraud was a data security breach at the bank that the bank ignored. The merchant … Continue Reading

Third Circuit Sustains “Data Collection Provision” of NJ’s Unclaimed Property Law

By Kimberly M. Wong on February 14, 2012 Posted in Information Security, Payment Card Industry

The Third Circuit recently affirmed a district court’s decision refusing to enjoin an amendment to the New Jersey Unclaimed Property Act (the “Act”) which requires issuers of stored value cards (“SVCs”) to obtain the name and address of purchasers of SVCs and to maintain a record of the zip code of each purchases. New Jersey Retail … Continue Reading

Privacy and Data Breach Regulatory Activity–A Year in Review

By Theodore J. Kobus III on December 29, 2011 Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Identity Theft, Information Security, Medical Privacy, Online Privacy, Payment Card Industry

While plaintiffs continue to face an uphill battle proving damages in privacy litigation – regulatory actions and investigations seem to be increasing. During 2011, we saw activity from many government agencies—both state and federal—including the Federal Trade Commission (FTC), Department of Education (DOE), Department of Health and Human Services (HHS) Office for Civil Rights (OCR), … Continue Reading

Does the First Circuit’s Decision in Hannaford Signal a Changing Tide?

By Theodore J. Kobus III on October 24, 2011 Posted in Data Breaches, Payment Card Industry

Until last week, most of us thought that the Hannaford Brothers data breach litigation was just another example of how Plaintiffs are not able to recover in class action lawsuits without proof of actual harm. The Hannaford Brothers supermarket chain suffered a data breach between December, 2007 and March, 2008 where hackers accessed over 4M … Continue Reading

Verizon PCI Report Shows Companies Still Struggle with Compliance

By Craig A. Hoffman on October 8, 2011 Posted in Payment Card Industry

Verizon recently released its 2011 Payment Card Industry Compliance report, a companion report to its annual Data Breach Investigations report that we discussed here. The PCI compliance report presents findings based on Verizon’s work as a Qualified Security Assessor (QSA) (a QSA conducts an annual audit to determine if a company is in compliance with … Continue Reading

Restaurant Group Pays $110,000 to Settle Lawsuit Alleging a Failure to Secure Payment Card Data

By Craig A. Hoffman on April 7, 2011 Posted in Payment Card Industry

In a February co-post with Baker Hostetler’s Hospitality Lawg, we wrote about security breach reports that continued to show hospitality and restaurant groups as favorite targets of hackers. Two of the factors we cited as explanations for their vulnerability—failure to secure wireless networks and not complying with the Payment Card Industry Data Security Standard (PCI … Continue Reading

Hospitality and Food and Beverage Industries Still Targets of Hackers

By Craig A. Hoffman on February 21, 2011 Posted in Data Breaches, Information Security, Payment Card Industry

This entry was also posted on the Hospitality Lawg—a Baker Hostetler blog featuring commentary on hospitality law, news, and developments. It should no longer come as a surprise that the hospitality and food and beverage industries are favorite targets of hackers. Indeed, some commentators have suggested that hackers view these industries as the low-hanging fruit. … Continue Reading

California Retailers Who Collect Zip Codes In Credit Card Transactions May Now Face Class Action Lawsuits

By Craig A. Hoffman on February 17, 2011 Posted in Information Security, Payment Card Industry

On February 10, 2011, the California Supreme Court issued a decision in Pineda v. Williams-Sonoma (.pdf), finding that a ZIP code constitutes “personal identification information” under California’s Song-Beverly Credit Card Act of 1971 (the “Song-Beverly Act”). The Song-Beverly Act prohibits retailers from requesting and recording “personal identification information” as a condition of a credit card transaction. … Continue Reading

PCI DSS Compliance–“A Necessary and Worthwhile Investment”

By Craig A. Hoffman on January 27, 2011 Posted in Payment Card Industry

Cisco released a white paper on January 12, 2011, which reported that results from its survey of 500 IT decision makers show that PCI DSS compliance is no longer viewed as overly expensive and burdensome. Instead, the survey revealed “one overwhelming message: Organizations of all types view PCI compliance as a necessary and worthwhile investment.” … Continue Reading

If There is Credit Card Fraud, There Must Have Been a Breach

By Craig A. Hoffman on December 10, 2010 Posted in Data Breaches, Payment Card Industry, Privacy Litigation

U.S. Bank removed a putative class action complaint filed by an online merchant named Paintball Punks to U.S. District Court in Minneapolis on December 6. The complaint (Paintball v USBank.pdf) alleges that Paintball Punks suffered chargeback losses of $11,259.91 from nine transactions that were fraudulently billed to U.S. Bank-issued credit cards as a result of U.S. Bank’s failure to “remedy known … Continue Reading