Payment Card Breaches: Time to Spread the Risk with Mandatory Cyber Insurance
David Navetta writes:
The BIG 2014 security stories concerning the Target, Neiman Marcus and Michaels payment card breaches of have highlighted the significant criminal hacking and fraudulent payment card activity that goes on in the retail space. Of course, it was not so long ago that the Heartland Payment Systems breach (2008; 100 million cards exposed) and the TJX breach in (2007; 45 million card exposed) dominated the news cycle. The reactions in the media and with the population then were very similar to those today. The latest round of mega breaches occurred, however, despite the existence of the Payment Card Industry Data Security Standard for a decade. In fact, according to the Verizon 2014 PCI Compliance Report, only 11.1% of the organizations it audited between 2011 and 2013 satisfied all 12 PCI requirements. In other words, just under 90% of the businesses Verizon audited as a PCI Qualified Security Assessor failed. This begs the question, despite aggregate expenditures by merchants likely in the hundreds of millions of dollars (if not over a billion) over the last decade: has anything really changed?
Read more on InfoLawGroup, where David argues that just as states require automobile insurance, they could similarly require cyberinsurance for breaches. Alternatively, and as David seems to prefer, the card brands at the top of the pyramid could make it a contractual requirement for businesses that want to accept their cards.
As a side note, I need to point out that David mentions the reports of Michaels Stores being breached. As of a few days ago when I reached out to them. Michaels Stores has not confirmed that they have had any breach . That’s not to say that they may not have had a breach, but just to point out that it’s possible that we will hear that there’s been no breach in that case.