When the security of a point of sale system is breached, many people start pointing the finger as to who is to blame. Did the vendor stay up-to-date on all security patches? Was the retailer vigilant in keeping its network safe? Are POS system hacks unavoidable? There have been many different points of view on this matter and it could be getting more complicated because of a lawsuit in Vermont.
First a little back story. The problems started with the grocery chain Natural Provisions, which is based in Williston, Vermont. According to court documents. The organization's lax security protocols led to a security breach where tens of thousands of dollars were stolen from compromised customer cards that passed through the system.
This was discovered when an area bank asked the state's Attorney General to conduct an investigation to uncover who might be at fault. Once the business was found at fault, a larger problem emerged. Under Vermont law, a company must contact the attorney general within 14 days of a breach, notify customers within 45 days and take all necessary steps to close the problem.
"Natural Provisions failed to meet these standards," Vermont Attorney General William Sorrell stated in a notice about the settlement. "After it first obtained information that a security breach might have occurred at its store, it did not commence taking remedial action to resolve the security vulnerability for more than a month."
The statement went on to say that some consumers who had their cards compromised and replaced had a second card also compromised before Natural Provisions addressed the issue. This lead to a lawsuit and a $30,000 settlement that includes a $15,000 fine for failure to notify customers and $15,000 on security upgrades to the point of sale system.
What does this settlement mean for the retail industry?
A recent article from Bank Info Security looked deeper into this settlement to see what the ramifications could be for the retail industry. There are only a handful of states with mandatory notification periods and even though this is a small company, the headlines have a long reach and other states could follow suit.
"As a result of this case, more banking institutions may ask state attorneys general to conduct investigations after card fraud is linked to a retailer," Marjorie Meadors, who oversees card fraud prevention for Louisville-based Republic Bank & Trust, a community bank with $3.2 billion in assets, told the news source. "That's because attorneys general enforce state laws, which may call for timely breach notification and establish security requirements, including compliance with the Payment Card Industry Data Security Standard."
Assistant Attorney General Ryan Kriger told the news source that he understands security can be a challenge for organizations but he hopes this settlement will open the eyes of small businesses and ensure they understand how serious this matter truly is. He added that companies need to make security a priority, have plans in place and follow state and national laws.
With the help of a payment solution provider that understands the complicated nature of point of sale security, any organization can improve its protocols and avoid a lawsuit like the one Natural Provisions faced.