And the year draws to a close as it opened: with a call for greater cooperation in preventing security breaches. At the beginning of the year, it was Heartland Payment Systems. Now, following lawsuits against it by restauranteurs in Louisiana who were hacked while using one of its POS applications, Radiant Systems is trying to sound its own clarion call for greater cooperation among those involved in processing transactions. In a press release issued yesterday, the company writes:
“Our vision is to encourage all involved in transaction processing to move from a mindset of independent compliance to one of collaborative security that will greatly reduce the risk of data theft,” said John Heyman, chief executive officer at Radiant Systems. “We believe the current data security blueprint in the payments industry is designed with many constraints in mind and therefore is not able to go far enough.”
[…]
“We have expanded the responsibilities of Jimmy Fortuna, vice president of product development for the hospitality division at Radiant Systems, to now include industry data security,” added Heyman. Fortuna brings 10 years of industry experience to this role. “Jimmy will work inside and outside the walls of our company to fight for increased levels of data security in the retail and restaurant industries.”
Radiant is investing in these activities to help define new standards across the payment process, educate businesses on how to reduce theft by meeting the current 12-step Payment Card Industry Data Security Standard (PCI DSS) requirement process, and build new technologies outside its POS software to combat theft.
To date, Radiant has declined to discuss any specifics involving the lawsuits against it, and details of the hacks have come only from the restauranteurs, leaving many questions unanswered.
What did Radiant do in 2007 when its earlier Aloha systems were declared noncompliant? Did it notify all distributors to stop selling those systems and did anyone contact customers to alert them and advise them? Following an August 2008 meeting between Visa, the Secret Service, and Louisiana restauranteurs, Radiant issued a security alert. But what had it done before then to ensure that customers who used their platform were aware of the problems? Yes, it is ultimately the merchant’s responsibility to remain compliant, but it’s unrealistic to expect small merchants to search for or read bulletins that may or may not apply to them. As Radiant looks to prevent future problems, what is Radiant suggesting be done going forward?
Will Radiant go so far as to recommend that vendors be required to commit to notifying customers of security alerts? If not, what will Radiant agree to support?
If a car has a safety defect, it is the car manufacturer’s responsibility to notify customers to bring their car in. We don’t expect car owners to check the manufacturer’s site or the Highway Safety web site to find out if their car poses a hazard to them. Why doesn’t the same notion of responsibility apply here? Or does it already?
Whether Radiant’s call is simply an attempt at PR in response to the bad press they have received over the lawsuits or a serious commitment that they will follow up on remains to be seen and I expect we’ll see some “lessons learned” as an outgrowth of this incident. But will it be enough to significantly reduce the likelihood of future breaches? As long as there continues to be intensive efforts to cover up breaches or to prevent the public from finding out the full scope of breaches, I doubt it.
Photo credit: “Clarion call” by lonecellotheory, Flickr, used under Creative Commons License.