Is the expense of a lawsuit and the resulting judgement greater than the cost of proper security?  I can say in most cases(if not all) that answer is yes.  Case in point.  Wendy’s was breached and is now facing lawsuits over the fraudulent transactions:

In January, Wendy’s spokesperson Bob Bertini told security researcher Brian Krebs that the restaurant group has hired a security firm to look into reports from “payment industry contacts” that it may have been a victim of a serious data breach.

 “We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations,” he said at the time. “Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”

George Rice, senior director of payments for HPE Security – Data Security, told Infosecuritythat the lawsuit should be a warning to other retailers.

“In addition to consumer restitution, industry fines and corporate brand damage, the financial consequences of PCI data breaches now routinely include the costs of defending against lawsuits brought by affected parties and any resulting judgements,” he said. “Security-deficient merchants will find it difficult to defend themselves against such lawsuits when powerful data security solutions are readily available on the market. Solutions such as point-to-point encryption and tokenization allow for the protection of sensitive data from the moment of acceptance and throughout its lifecycle in the organization.

Retail malware is typically designed to steal clear data in memory from Point of Sale (POS) applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale.

“And unfortunately, PoS systems are often the weak link in the chain—they should be isolated from other networks, but often are connected,” said Rice. “A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.”


If you are a POS operator the run of the mill external PCI audits are NOT going to protect you.  Unless you are the size of Wendy’s or Home Depot or Target and can absorb these losses, Contact ETC Maryland to have your network properly audited and secured to save you the expense of a lawsuit or the potential of the loss of your business.