Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: Payment Card Industry

Subscribe to Payment Card Industry RSS Feed

ICYMI – Recording of Managing Cardholder Data Security Risks in an Evolving Payments Landscape Webinar

Posted in Payment Card Industry
BakerHostetler recently hosted a webinar that provided a look back on significant payment card security events that occurred in 2013 and the security, risk mitigation, and customer relations lessons that can be learned from them.  The panelists also discussed what the continuing and emerging threats may be in 2014 and how to integrate security into … Continue Reading

January 15 webinar: Managing Cardholder Data Security Risks in an Evolving Payments Landscape

Posted in Payment Card Industry
Please join us from 2-3:30 pm ET on January 15 for a webinar that will provide a look back on significant payment card security events that occurred in 2013 and the security, risk mitigation, and customer relations lessons that can be learned from them. We will also discuss what the continuing and emerging threats may … Continue Reading

Class Action Plaintiffs Lack Standing under Clapper to Sue Barnes & Noble for Credit Card Data Breach

Posted in Data Breaches, Payment Card Industry, Privacy Class Actions
Editors’ Note: This blog post is a joint submission with BakerHostetler’s Class Action Lawsuit Defense blog. Relying heavily on the Supreme Court’s recent Clapper decision, a federal court dismissed a class action lawsuit arising out of a “skimming” data breach against Barnes & Noble (BN). In re Barnes & Noble Pin Pad Litigation, Case # 12-cv-8617 (N.D.Ill. … Continue Reading

Federal Prosecutors Indict Accused Data Thieves

Posted in Data Breaches, Enforcement, Online Privacy, Payment Card Industry, Privacy
Federal prosecutors announced yesterday the arrest and indictment of five men accused of involvement in the theft of over 160 million credit card numbers. According to prosecutors, thefts by this group involved some of the largest and most notable U.S. data breaches of recent years, including Global Payments, Heartland Payment Systems, Hannaford, and NASDAQ, among … Continue Reading

Cyber Criminals’ Menu Features the Food & Beverage Industry; Steps to Protect Your Business

Posted in Data Breaches, Payment Card Industry
2012 was a challenging year for the Food and Beverage (F&B) industry. In addition to increased government regulation, rising food prices and relatively slow growth trends, the industry once again was a favorite target of cybercriminals. According to the 2013 Trustwave Global Security Report, cyberattacks on F&B enterprises comprised 24% of attacks in 2012, second … Continue Reading

Massachusetts Follows California in Finding Retailers Vulnerable to Suit for Collecting Zip Codes in Credit Card Transactions

Posted in Payment Card Industry
Earlier this month, the Massachusetts Supreme Court issued an opinion holding that zip codes “may well qualify” as personally identifiable information under the Massachusetts law controlling the treatment of PII in credit card transactions. The Massachusetts case echoes a 2011 ruling from the California Supreme Court which similarly held zip codes to be PII. Like the earlier California case, the … Continue Reading

Magistrate Recommends Dismissal with Prejudice of Claims Against Global Payments

Posted in Payment Card Industry, Privacy Class Actions
Global Payments, which processes credit card transactions, announced on March 30, 2012 that an unauthorized person gained access to a portion of its processing system.  Global Payments later disclosed that Track 2 data (card number, expiration date, verification code but not cardholder name or address) of 1.5 million cardholders were taken.  Three individuals brought a … Continue Reading

Do Merchants That Outsource Payment Processing Still Have Risk From a Breach?

Posted in Data Breaches, Payment Card Industry
Last week a small New England bakery announced that its point-of-sale (POS) devices were infected with malware that may have put card data at risk.  The bakery’s letter to its customers stressed that it did not store card data on its computer systems, but the malware allowed an unauthorized person to gather card data as … Continue Reading

2012 Payments Systems Year-in-Review

Posted in Payment Card Industry
The interchange fee and the potential of mobile payments were the dominant payment system issues in 2012.  From a landmark antitrust settlement to seemingly daily announcements of a new prepaid or mobile payment product, there was plenty of activity in 2012.  However, following opt-outs and objections to the settlement, the rise-and-fall of new products, and … Continue Reading

Third Circuit Sustains “Data Collection Provision” of NJ’s Unclaimed Property Law

Posted in Information Security, Miscellaneous, Payment Card Industry
The Third Circuit recently affirmed a district court’s decision refusing to enjoin an amendment to the New Jersey Unclaimed Property Act (the “Act”) which requires issuers of stored value cards (“SVCs”) to obtain the name and address of purchasers of SVCs and to maintain a record of the zip code of each purchases.  New Jersey Retail … Continue Reading

Privacy and Data Breach Regulatory Activity–A Year in Review

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Identity Theft, Information Security, Medical Privacy, Online Privacy, Payment Card Industry, Privacy
While plaintiffs continue to face an uphill battle proving damages in privacy litigation – regulatory actions and investigations seem to be increasing.  During 2011, we saw activity from many government agencies—both state and federal—including the Federal Trade Commission (FTC), Department of Education (DOE), Department of Health and Human Services (HHS) Office for Civil Rights (OCR), … Continue Reading

Does the First Circuit’s Decision in Hannaford Signal a Changing Tide?

Posted in Data Breaches, Payment Card Industry
Until last week, most of us thought that the Hannaford Brothers data breach litigation was just another example of how Plaintiffs are not able to recover in class action lawsuits without proof of actual harm. The Hannaford Brothers supermarket chain suffered a data breach between December, 2007 and March, 2008 where hackers accessed over 4M … Continue Reading

Verizon PCI Report Shows Companies Still Struggle with Compliance

Posted in Payment Card Industry
Verizon recently released its 2011 Payment Card Industry Compliance report, a companion report to its annual Data Breach Investigations report that we discussed here.  The PCI compliance report presents findings based on Verizon’s work as a Qualified Security Assessor (QSA) (a QSA conducts an annual audit to determine if a company is in compliance with … Continue Reading

PCI Security Council Releases Standards Guidance for Virtual Environments

Posted in Cloud Computing, Payment Card Industry
Over half of the companies surveyed by Trend Micro in May 2011 reported having cloud computing services being developed, implemented, or already in production.  The survey also reports that security concerns continue to be a primary reason companies are holding back their adoption of cloud computing.  The security concerns related to virtual environments are heightened … Continue Reading

Restaurant Group Pays $110,000 to Settle Lawsuit Alleging a Failure to Secure Payment Card Data

Posted in Payment Card Industry
In a February co-post with Baker Hostetler’s Hospitality Lawg, we wrote about security breach reports that continued to show hospitality and restaurant groups as favorite targets of hackers.  Two of the factors we cited as explanations for their vulnerability—failure to secure wireless networks and not complying with the Payment Card Industry Data Security Standard (PCI … Continue Reading

Hospitality and Food and Beverage Industries Still Targets of Hackers

Posted in Data Breaches, Information Security, Payment Card Industry
This entry was also posted on the Hospitality Lawg—a Baker Hostetler blog featuring commentary on hospitality law, news, and developments.  It should no longer come as a surprise that the hospitality and food and beverage industries are favorite targets of hackers.  Indeed, some commentators have suggested that hackers view these industries as the low-hanging fruit.  … Continue Reading

California Retailers Who Collect Zip Codes In Credit Card Transactions May Now Face Class Action Lawsuits

Posted in Information Security, Payment Card Industry
On February 10, 2011, the California Supreme Court issued a decision in Pineda v. Williams-Sonoma (.pdf), finding that a ZIP code constitutes “personal identification information” under California’s Song-Beverly Credit Card Act of 1971 (the “Song-Beverly Act”).  The Song-Beverly Act prohibits retailers from requesting and recording “personal identification information” as a condition of a credit card transaction.  … Continue Reading

PCI DSS Compliance–”A Necessary and Worthwhile Investment”

Posted in Payment Card Industry
Cisco released a white paper on January 12, 2011, which reported that results from its survey of 500 IT decision makers show that PCI DSS compliance is no longer viewed as overly expensive and burdensome.  Instead, the survey revealed “one overwhelming message: Organizations of all types view PCI compliance as a necessary and worthwhile investment.”  … Continue Reading

If There is Credit Card Fraud, There Must Have Been a Breach

Posted in Data Breaches, Litigation, Payment Card Industry
U.S. Bank removed a putative class action complaint filed by an online merchant named Paintball Punks to U.S. District Court in Minneapolis on December 6.  The complaint (Paintball v USBank.pdf) alleges that Paintball Punks suffered chargeback losses of $11,259.91 from nine transactions that were fraudulently billed to U.S. Bank-issued credit cards as a result of U.S. Bank’s failure to “remedy known … Continue Reading