Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Argentina Attempts a Squid Blockade against the Falkland Islands |
| The Importance of Good Backups »
January 16, 2012
This is a first:
...the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.
It’s the first known case to challenge the heart of the self-regulated PCI security standards a system that requires businesses accepting credit and debit card payments to implement a series of technological steps to secure data. The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.
The PCI standards are probably the biggest non-government security standard. It'll be interesting to see how this turns out.
Posted on January 16, 2012 at 9:58 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
How many consumers really know anything about this at all? It appears to be similar to the old mobster protection scams of last century. We can all beat this game, don't use your credit cards (yeah, like thats going to happen). One of the credit card providers has added a new angle to their agreements, called the "delegate tool", which may isolate responsibility for fraudulent usage back to the consumer.
"...in general, force merchants to sign one-sided contracts..."
Hmm. I thought contracts entered under duress were invalid.
Oh, you mean they weren't under duress? Why are they complaining about terms and conditions they voluntarily agreed to?
Why don't somebody just ignore these guys and create something that works? It's hard to believe there's been so little actual experimentation and innovation in this area.
Something I've seen recently, though, is this: http://arstechnica.com/gadgets/news/2012/01/...
I find it a bit interesting. Comments?
Johnathan: "Oh, you mean they weren't under duress? Why are they complaining about terms and conditions they voluntarily agreed to?"
The beauty of a fully unregulated free market systems from the side of the proponents. Criticism against de-facto monopolists that give you no choice but to agree to their terms or not enter the market can be discarded with "that's a choice too".
Johnathan: "Oh, you mean they weren't under duress? Why are they complaining about terms and conditions they voluntarily agreed to?"
A Hobson's choice hardly counts as "voluntary".
Natanael L: "Why don't somebody just ignore these guys and create something that works? It's hard to believe there's been so little actual experimentation and innovation in this area."
Because Visa and Mastercard have exercised effective monopoly power over this. If you choose not to comply with PCI, you can't accept Visa/MC as a merchant (which is about the same as going out of business in the current age). With PCI as a front-loaded requirement to even enter into a card-accepting agreement, they can (and do) back it with whatever draconian terms they desire.
>the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based ...
Because either their brains or their signature will be on the contract? I frequently go to a lot of restaurants that are cash-only. They are typically some of the best restaurants around (eg. mom and pop breakfast joints). And the price difference is noticeable.
I'm not denying that the credit card companies have a great deal of power over merchants who want to accept their cards and often charge exorbitant rates, but my experience with actual PCI audits has been that the security standards are mostly sensible and good for everyone involved.
Examples include: not storing copies of CVV codes, not storing card numbers unencrypted, and a bunch of very basic system security / access control best practices for any system that does store card data.
A lot of Visa's terms and conditions seem to be routinely ignored by small merchants in any case. For instance I'm fairly certain they prohibit their merchants from posting minimum purchase amounts for credit transactions, but tons of small restaurants do that anyway.
Some small mom-and-pop restaurants can get away with not accepting credit cards, and it's notable that they are the only ones. If you sell TVs, computers, cell phones, or really anything which costs more that $20 (or over the Internet) you need a credit card.
As a small business owner myself, every day I make choices about terms and conditions of contracts I enter with service vendors, subcontractors, customers, employees, equipment suppliers, bankers, and yes, payment processors. When I negotiate, one option is *always* to not enter into the agreement.
If it turns out that my choices result in my business costs exceeding my revenue, I can and have changed my line of business to one where it is possible to produce more value than I consume.
Clearly, enough merchants consider that the benefits outweigh the costs of doing business with Visa/MC to allow them to offer such "draconian" terms.
I have chosen a line of business and payment processing that does not include accepting Visa/MC. When enough others do the same, Visa/MC will be "forced" to accommodate. Until then, they won't.
@Seth: Reading the article, it seems that the security rules aren't the issue. The issue is the dispute resolution process, or lack thereof.
It is contradictory to argue that it is unfair to have to jump to someone else's tune, by proposing someone else jump to your tune.
You can *absolutely* lament situations being such that an otherwise horribly unfavorable contract is your best option.
@David: Lament, yes (believe me, I have). But I don't seek government agents to enforce my wishes against people I've voluntarily made agreements with (as in the lawsuit this article was written about.)
Apparently, more people need to read the article. There's a lot of hyperbole in the headlines and top paragraphs, but farther down are some serious claims.
- part of the claim is that requiring compliance with the PCI standards wase attached later without notice to an existing agreement; the restaurant was able to sign an agreement without agreeing to the PCI terms
- the bank and card companies claimed a breach; the restaurant hired two investigative firms from the card companies' list; those firms found no evidence of a breach. They did find non-compliance items, and fines were levied. The article is not completely clear on this point, but it may be that *those* fines are not disputed.
- other card issuers claim to have incurred losses from this breach ("this breach" - see previous point). Those losses were then levied as fines, and those are certainly being disputed, given that the investigation showed no evidence of a breach.
- it is worth noting that this issue goes back to March 2008. We can't apply our current knowledge and views of things like PCI - we need to rewind four years.
- the restaurant didn't write their own software; the company certainly provided notice (although how thoroughly can't be seen from out here) about the PCI requirements and version updates. The catch would appear to be that if the restaurent reviewed it's agreements with the bank at the time, it's not clear that they would have found any indication that they needed to upgrade.
@Jonathon (who has at least read the article) - it appears that they may never have agreed to these terms, nor may the bank have ensured they notified them in a clear and unambiguous manner that the they were changing the deal. That doesn't seem to be one of the soundest ways to update a existing agreement.
The article links to the motion it's reporting on: http://www.wired.com/images_blogs/threatlevel/...
In there, you'll find answers to some of the items that are unclear in the article. As a note that you probably don't need, this is only one side's position, but it's laid out in a lot of detail, including why they needed to accept credit cards in the first place.
One of the most interesting sets of claims basically states that during the alleged breach of contract (claims 25-27), they could not access the contract they were alleged to have breached, nor had they had access to them, nor were they informed of their existence, nor were the terms in question in existence when they originally signed.
If their claims are accurate, calling that a "one-sided" contract is to understate the problem. They did not even know what was in the "contract" they'd signed.
And yes, I'm putting "contract" in scare-quotes. A "contract" with no meeting of the minds does not appear to be a contract in the common-law sense.
A couple of legal points here: these are not contracts entered under "duress". Duress is a legal concept that allows a contract to be voided, the classic case being when you are forced to sign with a gun to your head.
These are contracts of "adhesion", both in the case of the merchant agreement and the consumer agreement. This is a contract where the party on one side has no practical ability to negotiate on any terms. Perfectly legal, but the courts hold the party controlling the contracts terms to a high standard - any ambiguities in any terms are interpreted most favorably to the "weak" party.
Last point: these contracts commonly say "we may change certain contract terms in the future, but we'll give you notice so you have the option to terminate if you wish.". Courts strictly construe these provisions against the strong party as well. Again, perfectly legal but narrowly construed.
The restaurant has sued to require proof of at least three things: (1) prove that I had clear notice of the PCI rules - otherwise they aren't enforceable; (2) prove that I breached the rules - if not, no liability; (3) prove that my breach caused actual losses - no loss, no right to recover damages.
These are all standard claims in contract litigation, all based on the facts of case rather then the underlying validity of the PCI rules and the merchant agreements. The lawsuit could cause credit card companies to tighten up how they operate and manage PCI compliance, but is unlikely to threaten the framework as a whole.
If the credit card companies have gotten sloppy in compliance management, this will be a good wake-up call.
According to their merchant account agreement businesses are not allowed to charge a higher amount for an item if someone pays with a credit card and a lower amount if paid by cash. Yet, the credit card companies have continually allowed businesses to charge a "convenience fee" which can be rather substantial (e.g., 3%) and still allow it under the agreement.
Costco stores do not accept Visa or MasterCard. (They do accept American Express and debit cards. Costco.com accepts Visa and MC.)
Costco isn't a tourist-dependent restaurant. At least according to claim 19, 90% of their customers use payment cards, and about 78% of payment card transactions are MasterCard or VISA. Unless that information is inaccurate (or the second set has little to do with the first), they were clearly in a contract of adhesion.
>A lot of Visa's terms and conditions seem to be routinely ignored by small merchants in any case.
A couple of years ago I researched PCI and its impact to our organization (software development). During that time I located a VISA training guide that specifically stated all credit cards must be signed by the individual... with a signature and nothing else was acceptable.
For as long as I can remember I always signed my cards with "see drivers license". Since I found that training guide guess how many retailers asked me to sign the card.... Zero!
>One of the most interesting sets of claims basically states that during the alleged breach of contract (claims 25-27), they could not access the contract they were alleged to have breached, nor had they had access to them, nor were they informed of their existence, nor were the terms in question in existence when they originally signed.
What boggles my mind is they had no copy of the contract that they executed?
@raclarkmis : The reason they want you to put your signature on your card has nothing to do with security, and everything to do with legally agreeing to their terms for using the card.
On my card, it states in small print on the back "Use or signing of this card constitutes agreement with the current terms and conditions".
My language may have been imprecise; I'll try to state my understanding in more detail. For anything important, I'd refer to the source: http://www.wired.com/images_blogs/threatlevel/...
If I understand their position correctly, they appear to state that they signed a contract which had none of the data security provisions (claim 25). Those provisions allegedly didn't exist at the time; they were added later without their knowledge (claim 25). The provisions of the contract they were alleged to have breached were apparently kept as secrets (from them) until after the alleged breach (claim 26). Even after the portions of the contracts that were allegedly breached were published, they still kept some parts secret (claim 27). Claim 28 continues to state that they were apparently held to these rules, which they could not have been aware of at the time of the alleged breach, which they weren't informed of at the time of the alleged breach, and when they were published in an incomplete form, they still weren't informed.
Perhaps this excerpt from Claim 32 says their position best:
...the terms of Cisero's merchant agreement were materially changed without Cisero's consent, and without providing Cisero's with adequate notice, through changes in the card networks' rules that the Agreement required Cisero's to obey - sight unseen...
@ Natanael L
Thanks for the link. It might be cheap enough for them to implement. I'm glad one bank is doing trials with it.
As a small business owner, I was blissfully unaware of PCI Compliance until 6 months into my Credit Card processing contract. One day I received a manila envelope that told me that I had 30 days to become 'PCI Compliant', which, as it turned out, included changing from my preferred POS software to another, because my POS software hadn't been certified by Visa/MC. When I signed up for credit card processing, nary a word had been spoken to me about PCI. Thankfully, being a Computer repair shop, I already had most everything else in line with their wishes (although their requirement that "every" computer that is used by the business or by employees while at the business [including their personal computer, for personal use] be password protected and have an anti-virus enabled is beyond ridiculous--I use Ubuntu. There is no anti-virus for linux viruses. Oh, and it also requires that the user accounts be "locked down". Talk about a moving target.)
@zibodiz - I too use Ubuntu and am forced by work to "use an anti-virus program". Try looking at clamav, it's free and open and fills the "must have AV" rule.
"Why don't somebody just ignore these guys and create something that works?"
There have been several attempts, but they all get stopped on way or another. The most impressive was DigiCash.
Full disclosure: I once worked for a company that offerred an alternative payment system. I'd like to say that the credit card companies stopped at nothing to kill us off, but actually they didn't need to try hard. I believe there was a little bit of FUD dissemination, but it was mainly a lack of consumer interest due to the CC companies exaggerating the safety of their product, and concealing the dangers by forcing merchants to absorb the losses.
In a fair marketplace of course that should result in credit card transactions being significantly more expensive than better systems (about 20% more, for "card-holder not present" transactions), but the credit card companies essentially blackmail the merchants into not doing this. Another major factor is that beginners start with a limited support base, so they are less convenient to customers, and unimportant to merchants.
It's extremely frustrating: their product is so bad that if anyone else got a real foothold in the market, they would be finished; but their monopoly power is so effective, no-one else can survive long enough to get a foothold.
"These are contracts of "adhesion" ... Perfectly legal, but the courts hold the party controlling the contracts terms to a high standard - any ambiguities in any terms are interpreted most favorably to the "weak" party."
IANAL but ... if the Wikipedia article on contracts of adhesion is remotely accurate, the courts do far more than hold the controlling party to a high standard. Unreasonable clauses can be struck out entirely, or the entire contract can be found unconscionable (and hence totally unenforceable.)
Symantec runs great on Linux (SAVLinux). Nails is OK as well. Joe is also correct that ClamAV works.
"There have been several attempts, but they all get stopped on way or another. The most impressive was DigiCash."
DigiCash was the one that could have made it and changed everything. Unfortunately, we have to blame Chaum for screwing that up for us. His extreme paranoia made him turn down pretty much every major deal & always at the last minute. A huge waste of innovation.
"I believe there was a little bit of FUD dissemination, but it was mainly a lack of consumer interest due to the CC companies exaggerating the safety of their product, and concealing the dangers by forcing merchants to absorb the losses."
That seems to be the main thing. I'd highlight "a lack of consumer interest." This kills most higher assurance schemes for securing something. The consumers often get credit cards for the convenience. They also assume if attackers want their stuff, they'll get it anyway. (Not necessarily true for the common attack vectors.) Hence, they consider even a one-time PIN device too cumbersome. With little to no market, who wants to spend millions developing & advertising one of these products?
> A Hobson's choice hardly counts as "voluntary".
Sony got away with offering one recently....
Aren't the PCI standards more like who gets stuck with liability?
@zibodiz - if the terms apply to _every_ computer, wouldn't that include your customers' machines? Legal issues aside, this seems bizarre. Does this mean the provisions apply to the projection systems at a movie theatre, say, or to an MRI machine at a clinic? Is it even _legal_ to run antivirus software on computers controlling medical equipment? If so, where can I obtain treatment where it's not?
Also, what about systems like Apple's EasyPay, where the "terminals" (iOS devices) are essentially incapable of running effective antivirus software, _by design_?
Finally, wouldn't the antivirus provision itself encourage a design in which computers processing credit cards have the ability to run software and/or connect to networks unrelated to transaction processing?
@Jason - the PCI rules only apply to the parts of the company that handle and store credit card details. So you can define which parts of your IT are in-scope and which are out. This avoids much of the on the surface craziness.
I have no idea about the POS issue - I've only worked on PCI at the back end.
Kevin, have you ever heard of Peter Luger Steakhouse? It's possibly the top steakhouse in New York. It does not take credit cards.
When does the costs related to PCI compliance become a neg ROI to the merchant. Non compliance shops still pay for every card swipe now they have to pay more. Is it safe to process a encrypted card on a network
but not to surf on the same network ?
The web should not have been considred a way to transport card information. It is unsecure and will always be unsecure
no matter how many doors you lock.
Another question - does encryption at the device make it safe?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.