BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.
To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.
To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.
INTRO: Payment card breaches are a unique type of data breach, in that the parties seeking redress are typically not individuals, but rather payment processors and merchant banks, and ultimately the card brands and issuing banks. Jim Whetstone of Hiscox USA and David Navetta of Information Law Group discuss recovery mechanisms and the potential liability faced by merchants after a payment card data breach.
Since the advent of cyber insurance, many have questioned where the liability lies. It is true that victims of personal information data breaches have faced difficulties in court alleging that they have suffered any harm. The result of third-party claims associated with payment card security breaches often is very different.
For payment card breaches, the parties seeking redress are typically not individuals, but rather payment processors and merchant banks, and ultimately the card brands and issuing banks. The major card brands have developed a contractual infrastructure and back-end regulations to help facilitate recovery from merchants of fraud and card reissuance expenses, among other non-contractual remedies that may be available. These assessment costs can be in the millions of dollars, and can threaten the solvency of some merchants.
This article will explore the card brands' recovery mechanisms and the potential liability faced by merchants after a payment card data breach.
To understand a merchant's potential liability for a payment card breach, one must first understand the relationships between the payment card players. In a typical scenario for Mastercard and Visa, a direct contractual relationship does not exist between the card brand and the merchant. Rather, in order to accept credit cards, a merchant must enter into a merchant agreement with a processor and/or merchant bank. Among other obligations, the merchant agreement requires the merchant to comply with the payment card industry data security standard and card brand rules and indemnify the merchant bank for fines, penalties and assessments.
In turn, merchant banks enter into membership agreements with the card brands that make them responsible for their merchants' payment card breaches. Under this arrangement, the merchant bank is financially responsible to the card brand when an assessment is levied. The merchant bank typically seeks to pass that liability to the merchant via the merchant agreement.
Why does this matter? First off, Mastercard and Visa use the contract chain to largely insulate themselves from the merchant and their decisions that affect the merchant. The card brands force communications through the processor/merchant bank, which makes it difficult to obtain information concerning an assessment in order to challenge it. In addition, there is little incentive for the merchant bank to fight the assessment. Its main goal is to pass the liability on to the merchant. To facilitate payment, the processor/merchant bank often will establish a reserve fund by starting to skim money owed to the merchant for ongoing payment card transactions. This can disrupt cash flow and hurt the merchant's business, and provides major negotiating leverage for the merchant banks and card brands.
The fraud recovery and operating expenses that the card brands push down to merchants arise from the card brand rules. Visa's Global Compromised Account Recovery Program is the most mature recovery process. Several criteria must be met for a payment card breach to qualify for the recovery program, including:
• A violation of the Payment Card Industry Data Security Standard that could have allowed the compromise of payment card data;
• 15,000 or more payment card accounts potentially at risk; and
• $150,000 in combined fraud recovery and operating expense recovery.
If those criteria are met, Visa can levy an assessment that includes fraud recovery (i.e. an amount to reimburse issuing banks for fraud perpetrated on cards subject to a data breach) and operating expense recovery amounts (i.e. an amount to reimburse issuing banks for the costs to reissue payment cards subject to a data breach).
The amount of fraud recovery varies depending on the actual amount of fraud perpetrated; it can be a relatively small amount or multiple millions of dollars and everything in between. The fraud recovery is also reduced based on a formula used by Visa that assumes an acceptable baseline level of fraud, and can be further reduced if Visa allows a “catastrophic cap,” typically set at 2% to 5% of annual Visa transaction amounts. The assessment amount for operating expenses under the Global Compromised Account Recovery is set at $2.50 per eligible account. That means if the breach involved 100,000 eligible accounts, the operating expense amount is $250,000.
It can be very difficult for a merchant to challenge a Global Compromised Account Recovery assessment. The first step in the assessment process is the Payment Card Industry forensic investigator investigation the card brands require. The investigator's job is to determine what happened and whether the merchant was Payment Card Industry Data Security Standard compliant. Payment Card Industry Forensic Investigators are generally viewed as being aligned with the card brands and are required to make assumptions that often go against the merchant.
For example, they may assume the existence of a breach even where no evidence of data acquisition exists, and typically take a broad view as to when an intrusion began and ended, which can lead to more cards being considered “at risk.” Ironically, because of the uncertainties associated with forensic investigation, the Payment Card Industry Forensic investigation is one area where merchants can hope to influence the outcome of an assessment. However, this approach typically requires the merchant to retain a different forensic assessor, at its own expense, to act as its advocate.
Once an assessment is levied, the card brand acts as the judge, jury, and appellate court. There is little due process, and the card brands typically do not provide enough information to validate the assessment amounts. The merchant banks and card brands also have the ultimate hammer: most merchant agreements can be terminated for convenience, thereby cutting off a merchant's payment card revenue, which is the lifeblood of most merchants in today's business environment. Nonetheless, for those practitioners that have engaged in these battles, there are ways to attack and negotiate assessments down, including challenging the legal rights the merchant banks are attempting to exercise and carefully analyzing whether the card brand rules have been properly applied.
While merchants have limited negotiating power when entering into the merchant agreements, and limited ability to challenge the assessment amounts, they often can insure themselves against this risk. Most cyber, privacy or data breach insurance policies provide coverage for the first-party costs a merchant can incur after a personal information breach, as well third-party costs for defense and settlement of liability claims.
As has been detailed above, a significant component of merchant liability in the wake of a payment card breach is contractually based. Merchant and issuing banks no longer need to sue their merchants for, and attempt to prove, negligence or other available theories of liability after a payment card breach; they simply trigger the contractual indemnifications agreed to by their merchants. Thus, merchants should be careful when selecting their insurance to ensure it provides coverage for these contractual liabilities and indemnities after a payment card breach. In addition, merchants should understand the scope of coverage available for fines and penalties, as related to card brand assessments. Considering the difficulties associated with payment card breaches, merchants that address these insurance issues in advance may be able to better weather the liability storm.
Jim Whetstone is senior vice president, practice leader for professions at Hiscox USA and head of their technology and privacy business. He can be reached at 312-239-6354 or Jim.Whetstone@Hiscox.com. David Navetta is one of the founding partners of the Information Law Group. David focuses on technology, privacy, information security and intellectual property law. He is also a Certified Information Privacy Professional through the International Association of Privacy Professionals. He can be reached at 303-325-3528 or firstname.lastname@example.org.