Here’s the deal – Someone made off with the innards of a parking device which held the credit card numbers of everyone who had used the machine since April 1. I’m sure that this meter isn’t even on the Richter scale when it comes to credit card security, but whew – think of the liability. Read about It here.
Maybe its time for our manufacturers to spread the word and tell folks that there is a possibility that their equipment could be at risk. I know its an expense, but in the end, my guess is that the BC government will pay less if they had purchased new equipment than the lawsuit that will be involved when folks realize that the trip to Tahiti on their credit card wasn’t the one they took to Whistler.
JVH
5 Responses
Not sure if they have an operator, but it’s typically the operator than has to attest to PCI compliance. The owner will eventually be held liable as well, but they’re likely to countersue the operator for failing to uphold their fiduciary responsibility. This happened between O’Hare Airport, the operator, and the equipment manufacturer (FACTA issue related to credit card data on an electronically-generated receipt). Hope the owner had a tight contract with their operator. Owners and operators would be wise to take very seriously the PCI requirements. You’re correct, compliance is costly. I guarantee you, however, that the resultant lawsuits will far outweigh the cost of compliance. It’d be nice to see PT do a detailed report on PCI. Saw a short article a while back written by an expert from Halock, but it’d be great to see a more comprehensive report.
Here in fantastic New Zealand (yes we have similar parking problems compared to the rest of the world – in fact we even have peak hour traffic!!), we have seen an increase in demand for PCI compliant technology. This was highlighted by the hacking into some pay on foot car park equipment to obtain card details.
While local suppliers have attempted to try an educate the market of the need and liability to take precautions, it always helps when a nuetral body also presents the same story – so i agree a further article would be useful.
I would agree with Interested Party above that a detailed and comprehensive article about PCI compliance would be valuable. It continues to be a gray area to me about who is meeting the standards and what those standards are. Is it enough for the hardware to be PCI compliant. Where does third party validation come into play? Is that a gotta have or nice to have? How about the payment application?
Everyone seems to think that PCI compliance is some panacea and the ultimate solution to credit card data integrity. Technology advancements and hacking prowess will allways outpace the industry’s ability to protect itself. I remember when 32 bit encryption was considered “unbreakeable” then 64 bit and then 128 bit. Keeping up with technology and security standards then evolving and changing your internal processes to combat new threats are the best weapons we as an industry have. Last year’s hack of the San Francisco parking meter card is childsplay compared to what could happen if everyone sits back and assumes that their PCI compliant systems will protect them, even for the time being.
Frank, I don’t think PCI compliance is a “panacea”; however, the facts seem to, at least currently, speak for themselves. The PCI Security Standards Council states that NO vendor that was fully PCI compliant (the work “fully” is important) has ever suffered a data breach. This may not always be the case, but it seems the DSS is extremely effective in protecting against a breach. The real question here is how many companies, parking-related and otherwise, are accurately attesting as to their compliance. I can assure you that many companies in our industry have attested in writing as to meeting the current DSS, when in reality, they fall far short. At some point, they will have a data breach, and the house of cards will come tumbling down.