Data Isn't but V/MC's Protected

In my last post, I ended it by saying that Heartland's only chance for survial is getting the dynamic duopoly, a.k.a. V/MC, to cover the costs incurred by the banks having to replace consumer cards.  I thought they had a decent argument, given the fact that they were PCI compliant.

Well, I just got done reading an article  which contained a statement from Visa regarding PCI assessments...it seems to thwart any legal argument Heartland may have.  

You see, apparently the data might not be protected, but V/MC has certainly made sure that they are.

Information Week's Andrew Conry-Murray, in an article titled, "PCI is Meaningless, But We Still Need It", points out:

Assessments "do not guarantee that those security controls remain in place after the review is complete."  In other words, a company is only compliant with PCI's security standards during the time of review. Once the assessors leave the building, all bets are off.

He goes on to say: "I believe PCI was constructed this way for two reasons.

First, it absolves the assessors and the card brands of any liability should a compliant company get breached.  The issue of liability is critical, because breaches attract lawsuits the way roadkill attracts crows."

Yes, and it looks like Heartland gets to play the part of roadkill...the banks/V/MC get to pick their part,  scratch that, pick-a-part  in their role as a "murder of crows."

Heartland's tough battle just got tougher...and the prognosis isn't good.  Lizbith...dis is da big one!

PIN Debit Payments Blog

Related articles by Zemanta

• Security is not the same as compliance