For most retailers credit cards are the primary form of the payments that they receive. Accepting credit cards, however, carries significant data security risks and potential legal liability. In addition to the normal repercussions of a data security breach – e.g., reputation damage, the risk of class action litigation, and the risk of a regulatory investigation – if a retailer’s credit card system is compromised the retailer may be contractually liable to its payment processor, its merchant bank, and ultimately the payment card brands (e.g., VISA, MasterCard, Discover, and American Express). In many cases that contractual liability surpasses any other financial obligation that arises from the breach. The following provides a snapshot of information concerning credit card breaches.
The number of separate contractual penalties, fines, adjustments, fees and charges that the credit card brands may assess upon a retailer.1
Largest number of credit card numbers impacted by a breach.2
Percentage of data breach class actions that involved credit card data.3
Factors retailers should consider when preparing to respond to a credit card data breach:
- Does your payment processing agreement cap or limit your contractual liability in the event of a data breach?
- Does your payment processing agreement cap or limit your processor’s liability in the event that they suffer a data breach?
- Do you have a contractual obligation to notify your payment processor or merchant bank in the event of a possible security breach?
- Have the vendors of your point of sale equipment provided you with indemnification in the event of a breach caused by their equipment?
- Is a reporting structure, and contact information, included in your incident response plan?
- Are there any deficiencies identified in your organization’s latest “Report on Compliance.”
- If you have cyber-insurance are there any exclusions that would impact its coverage for credit card related breach costs?
- If you have cyber-insurance is there a sub-limit for Payment Card Industry (“PCI”) related liabilities?
- Do you have a contractual relationship in place with a forensic investigator that is certified by the Payment Card Industry (a “PFI”)?
- Do you have a contractual relationship in place with a forensic investigator that is independent of the Payment Card Industry?