Last year’s statistics are in, and they once again show that data security breaches remain a pervasive risk. For instance, Privacy Rights Clearinghouse reported that 613 of the 4,176 publicly announced data breaches between 2005 and 2013 occurred last year. Many, and certainly the ones that attract much publicity, involve attacks on payment card information. Yet the media often fails to mention one of a merchant’s greatest potential exposure risks: the contractual web through which card brands, like Visa and MasterCard, may try to impose assessments for card rules’ violations on victimized merchants.
Merchants do not have direct contracts with Visa or MasterCard. Instead, as the illustration shows, acquiring banks contract with the card brands to allow the acquiring banks to permit merchants to accept Visa or MasterCard payment cards. American Express and Discover may have varying contractual arrangements, but the types of assessments imposed are similar to those discussed. To accept those cards in their stores, merchants contract with acquiring banks. The cards themselves are provided by issuing banks, which have separate contractual relationships with the card brands.
The contract between the card brand and the acquiring bank customarily incorporates a set of “rules” unilaterally imposed by the card brand. These “rules” allow the card brand to impose assessments on the acquiring bank if a bank’s merchant suffers a breach caused by the merchant’s failure to comply with the Payment Card Industry Data Security Standards (PCI DSS). The acquiring bank’s merchant contracts typically require the merchant to indemnify the bank for these card brand assessments.
There are three key categories of assessments: per-card fees to cover non-ordinary-course operating expenses incurred by the card brand’s issuing banks following a breach; incremental fraud charges incurred by the issuing banks; and a fine for the merchant’s alleged PCI DSS non-compliance. Even with a small breach, the assessments can get very large very quickly, in part because only the first type of assessment is tied to the number of payment cards that may have been compromised. Visa’s rules, for example, permit it to assess $2.50 per payment card.
Incremental fraud assessments, by contrast, depend on a number of factors that can vary substantially, such as how quickly the cyber criminals were able to sell the card data and how much was “spent” before the fraud was detected. PCI DSS non-compliance assessments are capped at a set amount that does not depend on the number of cards at issue. Visa’s rules, for example, permit it to assess up to $50,000 for a first incident. A merchant’s compliance with PCI DSS at the time the breach occurred is a defense to all these assessments.
To enable card brands to impose these assessments if a breach occurs, the relevant contracts require a merchant to retain a PCI Forensic Investigator (PFI) to conduct an investigation for the card brands. The PFI will investigate the scope of any breach which includes issuing an opinion as to whether the merchant was in compliance with PCI DSS when the breach occurred. Almost inevitably, the PFI, who is working on behalf of the card brands, will conclude that the merchant was not PCI DSS compliant, even if the merchant’s own Qualified Security Assessor had just certified the merchant’s compliance shortly before the breach.
There are several ways to challenge the assessments. Factually a merchant may convincingly show that it was, in fact, PCI DSS compliant; challenge an assessment amount based on facts suggesting the PFI made a scoping mistake; or challenge the card brands’ calculation of “incremental” fraud. From a legal perspective, a real question exists as to whether these assessments represent lawful liquidated damages, or unenforceable contractual penalties. This is a question that remains unanswered, in no small part because so many merchants simply pay the assessments or reach a negotiated settlement.
Given cyber criminals’ continuing focus on payment card data, many experts suggest that companies handling payment card data should plan for when (not just if) they are breached. What steps can companies take to mitigate this exposure and respond in the event of a breach? Here are nine tips:
- PCI DSS compliance is necessary but not sufficient. Compliance with the PCI DSS ensures a security baseline and positions a company well to fight potential assessments, but PCI DSS compliance will not necessarily prevent a breach. Security programs should be risk-based and evolve with changing threats.
- Develop your incident response plan. Time is of the essence when a company discovers a potential breach. Engage the members of a response team in advance, including both internal personnel and external resources (legal, PR, forensic investigators).
- Review cyberinsurance coverage. Policies often have a scope or contain exclusions that can be problematic for the contractually-imposed card brand penalties.
- At the first sign of a breach, involve the right experts. Especially if there is any possibility the incident is significant, it is critical to engage experienced counsel, working with an external forensic firm, to investigate.
- Preserve the relevant evidence. To investigate the incident and prepare for potential litigation, relevant systems should be preserved immediately. If there is doubt as to what is potentially relevant, err on the side of caution.
- Work to identify the scope of and cause for the incident. The PFI’s investigation is one undertaken for the card brands. A merchant needs to perform its own investigation to understand and respond to the incident and to prepare to contest liability.
- Cooperate with the card brand investigation without making concessions. Provide the PFI access to the information necessary to complete its investigation, but document in writing areas where you disagree with the PFI’s findings or the card brands’ assessments.
- Vet all external statements carefully. Inconsistencies or supposed admissions in a company’s public statements will be targeted by potential adversaries in the litigation that almost inevitably results from a substantial breach.
- Plan for your next Report on Compliance. The PCI DSS verification process is not halted simply because a breach has occurred and, in some cases, it actually can be accelerated. Plan accordingly.