I read and heard the news that Global Payments, a credit card payment processing company, was breached and approximately 1.5 million accounts were compromised. I thought nothing of it, beyond, those folks whose accounts just got compromised just had their day ruined.
Should have been a bit more introspective? On March 31, I received an email from my credit monitoring service, how a negative event had been recorded on my credit report (on April 2 I'd receive another such advisory). Also on Monday, April 2, there arrived a plain nondescript envelope containing a letter which had a card of some sort inside. I sure hoped this was another of those "bring this card in when you open an account and we'll give you $50" direct mail offerings from a local bank. I knew I wasn't going to be so lucky.
The letter starts off: "Enclosed is your replacement Visa card, including a new account number."
The good news continues:
At "your bank," we take your account security very seriously. We have learned that some credit card information from your Visa account may have been compromised at a third-party location? For your protection, your existing Visa account will be closed within seven days of the mailing date of this correspondence.
The letter closes:
You can feel safe knowing that your account comes with exceptional security and protection. With zero liability fraud protection, you won't be held liable for the fraudulent use of your credit card.
- Activate the new credit card immediately & destroy the old card
- Call the vendors with whom I have auto-pay and change the account information
- Check the credit card statement for fraudulent charges and report any to the bank
- Check the credit report for the next year (and beyond) for spurious credit events (credit cards, loans, liens, etc.)
Here's how my credit reporting company displayed the event to me:
Once the dust settled, I reviewed all the steps taken. I tried to obtain more data on this specific breach, I contacted Global Payments and asked some basic questions, which I hoped would be able to allow me to determine if their breach was the cause of my credit card being replaced (Answers provided in bold).
1. What was the final number of accounts which were compromised by the unauthorized access to your system? ~1,500,000 per FAQ
2. How many banking institutions (Banks, Savings&Loan, Credit Unions, etc) were affected? No Answer
3. In which states were "breach notification laws" germane to the unauthorized access to your system? No Answer
4. Was this event limited to U.S. cardholders or was this international? Predominately U.S. per FAQ
5. Was your system judged to be compliant with the PCI standards? No Answer
A. What was the date of the most recent compliance certification? No Answer
B. Who or what entity conducted the compliance certification inspection? No Answer
6. Are you offering "credit report" monitoring to all of those whose credit cards have been compromised? Contact your bank per FAQ
Global Payments forwarded to me a link to their crisis FAQ page they created: Global Payments 2012 Info Security Update
Absent any exactness in the answers, I tallied up who was expending efforts and concluded: the issuing bank had expended time and energy; as did the vendors with whom I do business and I too had an expenditure of time and energy. Expenditures all required to clean-up after an entity who lost my credit card data.
Back to Global Payments, the fact VISA suspended Global Payments PCI-DSS certification made sense -- they were breached. And as we all know, "Compliance does not equate to Security." Receiving a certification of compliance demonstrates that at that given point of time the entity was in adherence to the PCI standards in place at that specific time. The threat landscape is dynamic and ever changing requiring those entrusted with our data to take steps beyond compliance to protect that data..
Given a "third party" lost my PCI data, and caused a cascade of events and expenses for others, that there had to be an equitable way to pass through the cost and expenses to the party responsible for the events. I thought I would do a light calculation on the amount of time which was expended: If each individual whose card data was compromised spent 30 minutes and their vendors also spent that same 30 minutes, then Global Payments event alone consumed approximately 1,500,000 of lost and uncompensated labor hours (not including the resources and expenses incurred by the bank, VISA and Global Payments). Quite an expense, quite the loss in a time when our economy can least afford to squander any resources. What recourse may be available?
I'd like to propose VISA, MASTERCARD, AMEX , CITI and others card services levy a $100 fine upon any PCI certified entity which loses customer PCI data. This $100 should pass through directly to the card holder. Why $100? It's not a large amount, while is of sufficient size to send a clear message to any entity which loses a consumer's PCI data. The certification process for PCI-DSS is an industry certification (not governmental). Therefore, if PCI compliant company loses their customer's data, they can can effectively be held both accountable and responsible to those shouldering the clean-up -- or at least at $100 per account.
What do you think of this proposal?