PCI, "Safe Harbor" and Hannaford

This Computerworld article was some issues: Hannaford may not have to pay banks' breach costs under PCI, says Gartner

This key part of the article is problematic:

“If true, Hannaford has a safe harbor under PCI and will not be required to reimburse banks and credit unions for any breach-related costs they may incur, according to information that Gartner analyst Avivah Litan said she has previously received from Visa Inc. Typically under PCI rules, if a company is noncompliant at the time of a beach, it faces two potential costs: fines from the payment-card companies and reimbursements of breach-related costs sustained by card-issuing banks and credit unions. Those costs can include payment of fraud losses resulting from the use of compromised payment-card data as well as breach notification and the costs associated with reissuing cards.

The fines and the reimbursement costs are not collected directly from the breached entity but through the "acquiring bank" that authorizes a company such as Hannaford to accept payment-card transactions. Under PCI rules, it is these acquiring banks that are directly responsible for ensuring that their merchants are PCI-compliant.

In Hannaford's case, while its acquiring bank may still get hit with a fine, "the buck stops there," Litan said. "Under the guidance Visa gave me, the acquiring bank wouldn't be able to take it back to the retailer," she said.”

It appears that Litan is referencing the VISA CISP “Safe Harbor.” Interestingly, if you go to VISA’s CISP website, the reference to the Safe Harbor has been removed. Here is what it used to say (as late as August 9, 2007 according to the Internet Archives) :

Safe Harbor

Safe harbor provides members protection from Visa fines in the event its merchant or service provider experiences a data compromise. To attain safe harbor status:

1. A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
2. A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.
3. It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.
   

Link Here.

That language has been replaced on VISA’s website with this:

Visa may waive fines in the event of a data compromise if there is no evidence of non-compliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation. Additionally, a member must demonstrate that prior to the compromise the compromised entity had already met the compliance validation requirements, demonstrating full compliance.

Link Here

A few things to say:

(1) Safe Harbor for Fines Only. According to VISA’s website the Safe Harbor (whatever version is applicable) only applies to fines. Therefore, unless there is information out there that says it applies to reimbursing banks, it would appear that the Safe Harbor is limited. Litan indicates that she has seen some information; it would be excellent if she shared that.

(2) Safe Harbor at Visa's Discretion? As you can see, the VISA website has gone from “to attain safe harbor status” to “Visa may waive fines.” Its not clear from this language whether safe harbor is “automatic” if a company can establish PCI compliance and VISA validation requirements, or whether its at VISA’s OPTION to (e.g. “may waive”) to waive fines if the merchant can establish compliance and validation.

(3) PCI Compliance and Validation Required. The safe harbor requires not only a demonstration of PCI compliance, but also requires (in both versions) that the merchant meet “compliance validation requirements.” So, by this language, a merchant may have been PCI compliant, but it is unclear whether or not the safe harbor would be available if the merchant it did not “validate” that compliance with VISA (basically do a bunch of paperwork: link here)

(4) Safe Harbor Limited to Visa; Not Other Card Brands. Visa’s safe harbor on its face would not provide protection from the other card brands, including MasterCard, Discover, AMEX, etc. If there is a side agreement between the card brands to honor compliance with VISA’s safe harbor, I have yet to see it. This article gives the impression that compliance with VISA rules will somehow protect you from other card brands.

(5) Article Misidentifies "PCI Rules." As a follow up to (4), the article refers to the contractual arrangements between banks, credit card companies and merchants as “PCI Rules.” In fact, those relationships are governed by each of the card brand’s security programs. VISA’s program is the Cardholder Information Security Program. Mastercard’s is the Site Data Protection Program. So if a merchant deals with all five card brands it must comply with not only the PCI Standard (a security standard) but also five security programs. These programs have different definitions, procedures and requirements. To avoid confusion, people need to be careful to not conflate “PCI” with the card brand security programs.

(6) No Proof that Issuing Banks Bound to Honor Safe Harbor. the article appears to suggest that attaining VISA safe harbor will somehow prevent a merchant from having liability to issuing banks for the costs to reissue credit cards. It is not clear how an issuing bank would be bound by VISA’s safe harbor; (a) as discussed below the safe harbor only deals with fines; and (b) the issuing bank is not in a contractual relationship with a merchant with respect to PCI so a merchant would have no basis to enforce the safe harbor against the issuing bank. If there is a document that requires all VISA issuing banks to respect the safe harbor it should be shared publicly so everybody can assess their liability.

(7) The Buck Only Stops if the Contract Stops It. The article suggest that in terms of fines, if safe harbor is attained, “the buck stops” at the acquiring bank. I would maintain that where the buck stops between a merchant and its acquiring bank is dictated legally by the terms of their contract and you cannot make a blanket statement.

On the broader issue, claiming PCI compliance and even actually achieving it does not automatically mean immunity in a lawsuit setting by any stretch

It is entirely possible to be PCI compliant and still have “unreasonable security” for purposes of negligence suit by consumers or banks. Its possible to state you are PCI compliant and not actually be compliant. Moreover, it’s even possible for the PCI Standard itself to be “unreasonable” (although that is obviously a more difficult argument to make to the extent the PCI Standard is “industry standard). A case that every security professional should know about: T.J. Hooper In short, the issues around PCI are much more complex then being presented here and I think people need to be careful since there is already enough confusion out there already.

Much, much more to come...