New data security legislation could make restaurants take the blame, bear the costs

Nation's Restaurant News,  Sept 3, 2007  by Dave Hermann

• E-mail
• Print
• Link

As a Texas-based restaurant operator for 10 years, I've seen our industry experience the best and worst sides of information technology. The quick swipe of a plastic card and prompt approval from a bank hundreds of miles away has provided convenience for customers and boosted sales for retailers, service providers and restaurants.

Unfortunately, criminals also have profited from digital-age convenience, as credit and debit card data theft poses a growing threat. A security breach is a nightmare for any restaurant operator, but the remedies being offered by policymakers can be just as troubling.

Texas is just one of the many states where proposed legislation intended to enhance security and protect customers will result in excessive liability for restaurants and ultimately higher prices for our customers.

When news spread that thieves had hacked into the financial data of millions of customers of a major retailer, legislatures from several states, while reacting to a genuine problem, went overboard. The politicians wanted to put new rules, created by the credit card companies, into state law.

The problem is that putting the Payment Card Industry-Data Security Standard, or PCI-DSS, into state law leaves the cost burden with restaurants, when it clearly should be a shared responsibility.

Under the PCI mandates, businesses that process credit cards will be forced to pay thousands of dollars to keep pace with complex and constantly changing security features.

Many businesses will have no choice but to pass these costs onto their customers in the form of higher prices.

Restaurants can be fined as much as $25,000 a month if customer financial data is stolen. Worse still, restaurants could be sued by banks or credit unions, even as they are in the midst of dealing with a devastating breach.

The new legislation also would make it illegal for businesses to store a customer's personal identification number, security code or magnetic-stripe information for more than 48 hours after a transaction is authorized, something we currently do as a precaution against online predators to protect our customers.

Consider the following scenario: A security system detects that cardholders with fraudulent transactions have visited your restaurant. You then are told to undertake a security audit--at your expense. If violations are found, you may be held responsible, even if there is no direct evidence of compromised data.

Of course, it doesn't matter if your very expensive security vendor, whom you relied on, made the mistake. You're still liable.

At this point, a bank could sue you for "the cost of reasonable actions undertaken" to respond to the breach. The laundry list of things you might have to pay for includes the costs of canceling and reissuing credit and debit cards, stop-payment actions, unauthorized-transaction reimbursements, and notification to all of the account holders affected by the breach.

This isn't all theoretical. There are very real and recent instances of small- or mid-sized restaurant operators being hit with significant fines for claimed PCI data security violations. What was their mistake? Their software might not have had the latest updates installed quickly enough.

You don't have to be negligent to wind up with slightly outdated software on your machines. After all, there are over 200 subcomponents within the 12 security features of PCI. It's as if no one ever thought about what it actually would take for all the little guys out there to implement this thing.

But here's the kicker: The way the law is structured, you can never tell if you're in full compliance. Your lawyer won't even be able to say if you're covered. Even if you're doing everything right one day, the rules could change, and you could be subject to retroactive fines the next day.

These laws are asking us to do the impossible. They want us to adhere to an ultra-strict compliance standard that is in constant flux.

We're spending millions of dollars to become compliant but still find ourselves facing a moving target. I suppose that's the nature of criminals--they always try to beat the newest system. But when did it become the sole responsibility of restaurants to stay ahead of computer crime?

As restaurants do all the work and assume all the liability, the big credit card companies do nothing to upgrade their data protection on credit cards. In Europe and Canada, these responsibilities already are shared, so credit card companies could do it here too, if they wanted to.

So how did all this play out in Texas? Our House of Representatives put PCI legislation on a fast track, passing it swiftly and unanimously. Fortunately, a strong coalition of business groups acted quickly and was able to put the brakes on the legislation in the Senate until a more thorough review could be completed, and we could discuss a compromise that spreads the responsibility for security breaches more evenly.

Unfortunately, Minnesota businesses weren't lucky enough to have time on their side, because the news-making security breach happened to a St. Paul, Minn.-based retailer. Both legislative chambers passed PCI legislation with nary a dissenting vote.