Shostack + Friends Blog Archive


"The vendor made me do it"?

Via StorefrontBacktalk comes news that

Following lawsuits in February against some of the nation’s largest retailers for illegally revealing too much credit card information on printed receipts, two of those retailers are now suing their POS vendors.
In the last couple of weeks, two of those retail defendants—Charlotte Russe and Shoe Pavillion—have sued their POS vendors, saying that the retailer relied on them and if the retailer is liable, then the POS vendor should pay for it.

Interesting defense. I wonder if it will also be used by anyone who has been illegally improperly storing payment card mag stripe data? There have been some high-profile cases of this occurring, and (as reported by Bob Sullivan at MSNBC)
Visa issued a warning to retailers about inappropriate mag stripe retention by some POS software utilities last year.

2 comments on ""The vendor made me do it"?"

  • Roger says:

    If my memory serves me, when BJ’s Wholesale Club was breached a few years ago, it sued IBM for the same reason.

  • Chris says:

    WSJ, via Google, says you’re right, Roger.

Comments are closed.