Visa and credit card theft... oh my!

The relatively recent policy by visa to fine shops that are compromised is going to be in court next week.  Genesco,  a sports and shoes shop will be taking visa to court next week due to the hack of its credit data base that went undetected from 2009 to 2010.  More information on this from http://www.computerworld.com/s/article/9237588/Retailer_hauls_Visa_to_court_over_13.3M_fine_for_payment_card_data_breach?taxonomyId=17 

After the intrusion was discovered, Visa issued an alert to affected card issuers, informing them that every Visa card that was processed by Genesco over a one-year period between Dec. 2009 and Dec. 2010 had been compromised. Visa later collected a total of $13.29 million in fines from Wells Fargo Bank and Fifth Third Bank, the two "acquiring banks" that had authorized Genesco's participation in the Visa payment system.

Visa insists that the fines are a necessary way of dealing with shops that have lax security, and has built it into contracts  However, Genesco stated:

None of these situations applied with the 2010 intrusion, Genesco said in its complaint. The company noted that it was fully compliant with PCI requirements at the time of the breach. As required under PCI, no card data was ever stored on Genesco's systems at any time during the intrusion.

But why are all of these rules necessary, well unfortunately credit card theft is way up.  From http://krebsonsecurity.com/

Sadly, Social Security numbers and even credit reports are not difficult to find using inexpensive services advertised openly in several cybercrime forums. In most cases, these services are open to all comers; the only limitation is knowing the site’s current Web address (such sites tend to move frequently) and being able to fund an account with a virtual currency, such as WebMoney or Liberty Reserve.

Case in point: ssndob.ru, a Web site that sells access to consumer credit reports for $15 per report. The site also sells access to drivers license records ($4) and background reports ($12), as well as straight SSN and date of birth lookups. Random “fulls” records — which include first, middle and last names, plus the target’s address, phone number, SSN and DOB — sell for 50 cents each. Fulls located by DOB cost $1, and $1.50 if searched by ZIP Code.

These attacks demonstrate that not only are online breaches of databases realistic, they're on the rise and cheap.    Should Visa be fining people for this?  Maybe, most people do think with their wallets.  No  matter what though this needs addressed.