Skip to main content


Any class action with 40 million defendants is going to get huge fast. Here is an article at Bank Systems and Technology. Some interesting tidbits:

"I'd expect that the plaintiffs bar will be looking for a per-cardholder assessment of damages that will be driven by such things as a regular credit check to be paid for by one or more of the defendants," says Holt. Thus, if the card industry were ordered to pay for periodic credit checks for a class of 40 million people at an estimated cost of $30 per report, the total cost could run into the billions of dollars easily.

That's a big pay day for Equifax and the other services - which may be viewed as ironic at best by many people. Comments, Adam?

Furthermore, the plaintiffs likely are to go after the deepest pockets, and so the card associations and member banks may not be able to escape entanglement. "There is going to be a whole host of defendants seeking to shift liabilities to one another," says Holt. "The plaintiff is largely agnostic to that type of dispute. The plaintiff will simply be claiming these damages and they don't care who pays them."

Even though press reports indicate that CardSystems violated the associations' rules by keeping copies of cardholder data beyond the necessary period, the plaintiff's bar could argue that other parties in the chain of custody of data should have found out about the violation and taken steps to correct the problem. "When did the issuer know it, and what did the issuer do about the alleged violation of the industry standard?" says Holt, describing the probable line of questioning.

It is likely that the plaintiff's attorney will find out the Visa and Mastercard recently eased the security requirements of their CISP and SDP programs and will argue that association rules are a sham. I understand that the requirements document dropped from 35 pages to 18. I spoke with one auditor that was essentially dropping out of the program because he disagreed with the changes being made.

I wonder what will happen to ecommerce and online banking as an industry. There have already been a number of surveys that suggest people are holding off on buying online. Unfortunately, I have only seen surveys paid for by security companies. Still, you have to think it is an issue and you have to wonder what impact it will have on the industry. People are tying online credit card purchases, phishing, lost backup tapes, reporting agency leaks all into one big sense of unease.

ATMs would never have gained the acceptance they have without the perception of security combined with their convenience. It is interesting that ecommerce has already penetrated the market because of convenience, perceived security (which is really only SSL encrypted transport) and the mistaken belief that the most a buyer could lose is $50. What would happen to ATM usage if 40 million ATM cards were stolen? Well, not so much, because you can't do anthing with just an ATM card.
Current rating: 1

Recent Posts







RSS / Atom