I came across an interesting article recently that highlights to me not only the potential financial impact of non-compliance, but the complex way in which this non-compliance can impact other parties in the value chain.
A brief summary. A POS (point of sale…..although another interpretation might also be appropriate) terminal was sold to a number of restaurants in the South. After using the system for several weeks, these restaurants started observing strange behavior (eg, the mouse moved at random and could not be controlled), and reports of credit card thefts started to come in from Visa and Mastercard. It turns out after much forensic analysis that there was a major breach by a Romanian hacker, who stole info from hundreds of credit cards. The hacker was able to do this because of two factors:
The POS system stored ALL the info that was on the credit card magnetic strip after the transaction was complete – a clear violation of PCI standards.
The technicians from the company that sold and maintained the systems used absurdly poor security when installing the software, such as the same default name and password across all systems.
So, what was the impact on each restaurant? The original system cost $20K, but some restaurants had to later pay for forensic analysis ($19K), a fine from Visa ($5K), a fine from Mastercard ($100K….later rescinded), and partial restitution for the fraudulent transactions ($20K). So, the original $20K investment on a “state of the art” system turned into an unmitigated disaster. The vendor of the POS system denies all responsibility – hopefully, they have a good lawyer who can argue that with a straight face.
I’m not sure there are any universally applicable lessons here, but a few observations struck me.
First, it’s remarkable that such poor security practices would occur, especially in a technology product in which security is essential.
Second, compliance is serious business. Some regulations are enforced more strictly than others, but in many cases (particularly PCI), the penalty for non-compliance can be debilitating.
Third, the days of compliance impacts being limited to your own enterprise are over, particularly for providers of technology solutions. Compliance is often a multi-faceted network or value chain, and any non-compliance by one participant can have significant (and often hidden) impacts on the other participants. In this case, the impact was very painful, and potentially disastrous.
I’m pulling for the restaurants.
Latest posts by Sumner Blount (see all)
- Solving three key security challenges with identity-centric solutions - March 6, 2014
- Identity and Access Management in 2014 – a prediction of what’s ahead - January 9, 2014
- Threats, attacks, and other bad things….Oh My! - July 23, 2013