Sep 08 2014
We all know that Target got compromised last year, but what some of you might not know is that the banks who issued the credit cards that were compromised are suing Target. They’re saying that because Target didn’t take sufficient measures to protect the card data the banks had to spend millions of dollars in order to re-issue every one of the cards that were compromised. It makes sense on the surface, since the banks incurred the cost due to the insecurity of Target’s systems. But here’s the rub: there’s no direct relationship between the issuing banks and Target.
I find it funny because this relationship is one of the things that was drilled into me from the start of my Qualified Security Assessor training. There is a relationship between the merchant and its bank, called the acquiring bank, between the acquiring bank and the card brands, between the card brands and the issuing banks and finally between the issuing bank and the consumer. This was done with careful thought to create a buffer between the card brands and both merchants and consumer. As a consumer if you have an issue, you have to take it to your own issuing bank or the merchant, since you have no direct relationship with the card brand or the acquiring bank. It’s also why the card brands have always said that they don’t issue fines to compromised merchants, it’s the merchant’s bank that have to issue the fine. The picture below illustrates this relationship and is similar to what was used to train QSA’s when I went through training.
I find a certain poetic justice in this defense being used by Target. The card brands and the banks developed this system in part because it’s a reasonable way for transaction clearance to work, but also in large part because it gave as many parties as possible a way to distance themselves from the sins of another party. Except the banks and card brands meant for it to be a buffer from lawsuits between them and both merchants and consumers, never thinking it would provide a buffer for the merchants as well.
I don’t claim any deep understanding of the underlying legal statutes that could affect this case, but I do see that Target’s defense could bring up any QSA that is worth his or her salt to the stand to illustrate their point. It’s going to be much harder to establish a responsibility from Target to the issuing bank when any witness with knowledge of the Payment Card Industry Data Security Standards is going to have to say, under oath, that they had been trained from the first day that there’s no relationship between the two entities. On the other hand, if the buffer is dismantled legally, it also opens a venue for merchants to sue the card brands, so either way the banks are going to be losers in this battle. Well played, Target, well played.