[Cryptography] cost-watch - the cost of the Target breach

[Jerry Leichter]

On Dec 5, 2014, at 6:46 PM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> The Target ruling makes clear that banks have a right to go after merchants if they can provide evidence that the merchant may have been negligent in securing its systems.
> ...
> This suggests that it is Target's responsibility to maintain the security of the card payment system rather than the banks
> 
> I do not agree. The banks have had ten years to deploy chip and pin which would eliminate the breach. That was pure negligence on their part. Target should not be held responsible when the banks decided that it would be cheapest for them to not bother with card security.
There's plenty of blame to go around.  Target didn't do its part here - and the banks were able to show it.  I agree with the principle that the costs should be imposed on those in a position to fix the problem (but fail to do so), but the facts as decided in this case were that Target *was* (at least partially) in that position, and indeed didn't do what they should.

It's also not at all clear that the banks were the ones who resisted on chip and pin.  *They* wouldn't be the ones bearing the costs of replacing all the card readers out there - and they stand to gain from the liability shift that leaves merchants who don't get new terminals stuck with any loses.  Over all, win/win for the banks.
                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141205/03536f03/attachment.html>