Executive Insight: Who is PCI Really Protecting?
By now, most in our industry have heard of the restaurateurs in Park City, Utah who are suing their merchant bank and, consequently, might end up taking on the whole PCI. For those unfamiliar with the story, Wired has a good article, which you can find here.
Basically, Cisero’s Ristorante was accused of suffering a data breach. Visa and MasterCard – acting as judge, jury, and executioner – levied nearly $90,000 in fines on their acquirer, U.S. Bank. (This in spite of the fact that forensic investigators could find no conclusive evidence of a breach.) As is the practice in our industry, the bank passed these fines on to the merchant and U.S. Bank began immediately, and without notice, to siphon funds from Cisero’s bank account.
When Cisero’s owners closed their account and refused to pay, U.S. Bank sued, and the owners counter-sued, citing a lack of due process and claiming they were forced into a one-sided contract.
So, what do we make of all this? First, an admittedly political observation – the current administration is so focused on consumer protection that it is actually hurting businesses. Second, and related to the first point, the PCI regulations, originally designed to protect merchants and consumers, are in fact helping only the banks and card brands – to the detriment of those they were designed to protect. Third, the implications of the lawsuit could be huge for our industry. Bloggers and industry pundits are already speculating on the potential outcomes. I pose their question to you: if this lawsuit takes the teeth out of PCI (i.e., removes banks’ ability to fine merchants and/or to collect those fines) will you still make the effort to comply with their regulations?
My company was the first paying member to join the PCI Council. We sent in our dues before they even had an account ready to receive them. We were thrilled by the prospect of a universal standard for card data security. We were active participants until recently, when due mainly to politics and infighting, the Council became a lot like our Congress – full of bright minds and good ideas, but entirely unable to agree long enough to issue a coherent guideline.
The PCI Council is not a world government, merchant banks are not the IRS, and neither have any legal right (beyond those rights they give themselves in the small print of the one-sided contracts they issue to uninformed merchants) to levy fines or to seize assets or funds. The fact that they give themselves these powers is, frankly, terrifying. PCI should be protecting all parties involved in the payment process. Not just the big dogs and not just the consumers, but everyone involved. Until that happens, we have to side with Cisero’s.
Without merchants, without small and mid-sized businesses growing and reinvesting in our society, our economy will fail. We must support them and protect them. Shift4, as a staunch merchant advocate, stands with those who fight against unfair regulations passed down from power-hungry mega-corporations.
P.S. Cisero’s, if you happen to see this, good luck to you. Know that we stand with you, and please let us know if there’s anything we can do to help.