In recent years, merchants have occasionally struck back, suing suppliers and integrators of POS systems. Those lawsuits have generally argued the suppliers are liable for breaches due to setup and maintenance errors.
Interestingly, very few of the lawsuits are ever litigated, as POS suppliers often choose to settle, said Charles Hoff, an Atlanta-based lawyer who has been involved in many such actions.
POS suppliers "may feel that they have a strong defense but they don't like the scrutiny in terms of the media," Hoff said. "It certainly doesn't help them in the marketplace. They want to figure out a way to keep their [customers] and not lose them."
All merchants want to do is "sell what they're selling," said Pam Galligan, chief compliance officer for Mercury Payment Systems, whose payment processing technology is built into various POS systems.
"PCI asks these merchants to comply with an increasingly technical set of requirements," she said. "They don't want to spend a lot of time and energy trying to protect their card environments."
There's a broad effort under way to ensure that merchants are up to speed with PCI-DSS 3.0, which comes into force on Jan. 1. But it's complex: there are 12 main requirements and more than 250 sub-requirements.
Galligan said Mercury works to ensure its POS partners are up on PCI. Hoff is co-founder and CEO of PCI University, an organization that tries to explain PCI-DSS to people who aren't data security experts.
Merchants are under heavy pressure to handle card data right every time, all the time. The PCI Council advises that retailers can't just pass an annual audit and forget about it. A main concern is that networks are modified over time, which could inadvertently create weak points for hackers to capitalize on.
That is exactly what happened with the Canadian retailer VandenBrink tested. The company had recently finished a hardware refresh and in the process left two open Internet-facing telnet and SSH ports, he said.
The ports were password protected, but using various techniques, VandenBrink eventually discovered the right passwords. That allowed him to get access to where the payment card data was held in memory, including his own.
"I was surprised," he said. "There were thousands of cards in memory."
Sign up for CIO Asia eNewsletters.