WILLISTON, Vt. – A settlement brokered by Vermont’s attorney general could spell trouble for retailers, Bank Info Security reports. The $30,000 agreement was with a Natural Provision, which was charged with not letting customers know in a timely fashion about a security breach.
The case could mean that more banks would be calling on state attorneys general to investigate card fraud connected to retailers, said Marjorie Meadors with Republic Bank & Trust. Most of the time, financial firms alert local and federal law enforcement of any breaches, not state attorneys general. “Maybe we should pursue the breach angle with state agencies in the future,” she said. “Some additional fines from the state agencies would further encourage smaller merchants to take a closer look at how they are updating their [point-of-sale] software.”
In the case of Natural Provision, Vermont Attorney General William Sorrell found that the company’s lack of adequate security played a role in the data breach. Meadors said that retailers also need to be aware of how their point-of-sale software firms handle security. “Some [POS] software companies are not properly educating their merchants about the risk and the need to keep the software updated and patched,” she said. “We have been told that often the software companies or their resellers are not sending out patches or updates, even when the merchants have paid for them. It will probably take some merchants bringing lawsuits against their software providers to get any action.”
“It is absurd, to me, that the victim is fined for the crime. In state after state, banks and card brands are fleecing legislators into believing that retailers can completely safeguard unauthenticated payment cards, and provide pristine processing environments that counter the security flaws in their product,” Gray Taylor, payments consultant to NACS, told NACS Daily.
“Yes, the consumer is the first victim, but card brands indemnify them from most harm. It is the merchant who becomes the payee of all costs associated with card breaches – even though most breaches would not occur if card brands simply required personal identification numbers (PINS) on all transactions,” said Taylor. “In this respect, the card brands are simply negligent and should assume financial responsibility until they fix their products like any other business in America.”