The Green Sheet Online Edition
August 10, 2009 • Issue 09:08:01
Tough love in compliance and breach liability
Consumers with credit cards have long been afforded the most crucial of all protections: immunity from fraud liability. When card data is stolen - no matter how it happens - all charges that follow are someone else's to pay.
Fraud liability has to fall somewhere, of course, and while some say the fraudsters themselves (those who get caught) should contribute, typically they are punished with civic fines and jail time, not restitution.
Rather, that cost is placed squarely on the occupants of the payment chain, one or more ill-fated parties saddled with the byproduct of someone else's mischief. Yet, it varies precisely how those costs are apportioned, a task that can be a tricky business - especially when blame is difficult to find.
In the words of Rick Fischer, a Washington, D.C., lawyer who specializes in data theft and Payment Card Industry (PCI) Data Security Standard (DSS) compliance, the process of placing liability for data breaches is one of "rough justice."
"Someone asked me one time if the fines and the notice requirements were fair," Fischer said. "And I said, 'you know what would be fair in these circumstances? It would be fair if the hackers and the identity thieves give notice to the consumers and pay the fees - that would be fair.' But that's not going to happen."
Generally speaking, determining liability is a top-down process that begins with the card issuer. If the issuer itself is breached, the ensuing process is relatively straightforward, at least in theory; that organization takes the hit, pays whatever costs were racked up with stolen card data and then undertakes the expensive process of clean-up.
This latter job, which involves things like notifying customers affected by the breach and issuing new cards, can be more taxing than one might think.
According to Walter Conway, a payment business Data Security Consultant, the process of notification by itself will typically involve sending mailers, making phone calls, creating a Web page and establishing a "credit monitoring service" - the price on all of which can run between $40 and $200 per account compromised. At that rate, he said, fewer than 5,000 notifications could well put the price tag into the millions of dollars.
In the event that liability falls on a processor or merchant, these and other associated costs are passed down by the issuer - and in both cases they go initially to the acquirer. If a breach occurs in the merchant sector, fines usually are passed down twice - from the issuer to the acquirer and, in turn, from the acquirer to the merchant.
"I think in that situation those [acquirers] can be dealt with very quickly and very harshly by the brands," Conway said. "An acquirer is supposed to be secure - that's what they do for a living. You expect them to be secure."
Using a middleman
The aftermath of a breach to the merchant sector is far less clear-cut.
Because issuers and merchants hold no direct business contact and have no contractual agreements, issuers have only limited ability to recoup their costs.
Any fees they do impose go first to an intermediary - the acquirer, with whom both parties are contracted - which will absorb the cost, pass it to the merchant or absorb part and pass the rest, depending on the acquirer's contract with the merchant.
Fischer said virtually every merchant-acquirer contract stipulates precisely how issuer fees will be distributed between them - although such a clause has only become a regular part of their contracts in the last several years. He said those fees commonly range between $100,000 to a ceiling of around $500,000, and they're sized roughly equally whether it's a merchant or processor that's been breached.
According to Conway, "generally all" contracts stipulate that the merchant will absorb everything - although he added there were exceptions, including instances in which acquirers turned the tables and paid the whole tab themselves. "I do know cases where there's been a breach - not terribly large, and the acquirer has decided for the business relationship or whatever reason not to pass the fine - they've eaten it," he said.
Fischer said it isn't uncommon for acquirers to absorb at least some of the costs, noting that "there's a lot of competition" among acquirers to secure merchants, and any provision that helps relieve cost burdens can be used as a selling point.
But he added that significant contractual concessions are usually reserved for the larger retailers whose businesses are deemed lucrative enough to make certain risks, like the assumption of liability, worth taking.
"This is a business world and these agreements are intensely negotiated, and there's a lot of competition," Fischer said. "So as an acquirer you try to get as much of [the fines] as you can back on the retailer and not lose the retailer."
A breached merchant may also face third-party lawsuits, usually filed by the issuer to skirt the limitations of industry fees - which Fischer said can only go so high, or else get blocked by the overseeing card brand (either Visa Inc. or MasterCard Worldwide, depending on the issuer). He said such cases are usually decided in favor of the merchant, leaving the issuer to eat a large portion of the breach costs.
He sited the clothing retail giant TJX Companies Inc., which, after suffering the largest breach ever by a merchant in 2007, was spared by the courts from paying a good chunk of its penalties even though, according to the Federal Trade Commission, the company was nowhere near compliant.
"Even in that situation, while they ended up paying a significant amount to issuers through the Visa settlement that was orchestrated, it was significantly less than the issuers wanted," Fischer said. "So if you look at it on a rough justice basis, it probably was an appropriate amount."
Plenty of suffering to go around
Indeed, each party on the payment chain seems to suffer "rough justice" its own way. For their part, issuers absorb the initial shock of every fraudulent transaction, and bear the burden of having to recover all those costs - some of which they never get back. Especially when a merchant is breached, an issuer can be almost certain that it will shoulder a bulk of the expenses.
Unlike merchants, processors that are breached often bear the burden of reimbursing the issuer completely, the total costs of which can be huge. Heartland Payment Systems Inc., which reported a breach in 2008, said in May 2009 that its costs had reached $12.6 million and counting.
Processors, which in most cases play the role of acquirer as well, are also go-betweens for the fines issuers levy on merchants, and in many instances absorb at least a portion of those costs.
Merchants, meanwhile, are rarely responsible for what happens to other parties (unless those parties aren't certified PCI-compliant) but frequently have plenty on their own plates. They are the most likely of all parties to experience a breach, and, of the ones that are hit, typically the least able to absorb the costs.
"The vast majority of breaches are in the merchant sector - it's an overwhelming number," Conway said.
Breach liability and PCI compliance
Unavoidably, the issue of post-breach liability ties into some key points of contention regarding PCI compliance more generally.
Liability (excepting outside lawsuits) hinges on establishing noncompliance at the time of a breach, which is determined by a forensic audit. Breached parties found to have been compliant are supposed to enjoy "safe harbor" from industry fines - but of all the post-breach audits conducted to this point, not one has made that finding.
"No compromised entity has yet been found to be in compliance with [the standard] at the time of the breach," the PCI Security Standards Council (SSC) declared earlier this year - and it maintains that position today.
Some take issue with that position, asserting that, while the PCI DSS makes a very good guide for security implementation, perpetual PCI compliance is basically an unattainable goal - and, among breached entities subject to forensic audit, a set-up for failure.
"It's always easy to be a Monday morning quarterback, to come back and take a look at and say, 'Ah ha! What about this?' That one spot that these very talented criminals had to discover," Fischer said.
"There are literally tens of millions of point-of-sale terminals and lots and lots of retailers of all sizes and they can only do so much," he added. "They gotta run a business - sell products and the like. So it's not possible for them to protect all their information all the time, and even if it was [possible] yesterday, it won't be today and won't be tomorrow."
Conway expressed a different view, asserting that the difficulty of PCI compliance "can be blown out of all proportion. Merchants are going to have to spend a little time, maybe a lot, depending on what changes you're willing to make, to become compliant. But do I think it's an onerous burden that's unfair and driving people out of business? No ... I think a lot of the mashing teeth, a lot of the whining, quite honestly, is misplaced."
He added that the findings of post-breach audits have revealed substantial malpractice.
"Some people say ... you could always find something somewhere [in a post-breach audit]," he said. "Well, that's not what [the PCI SSC] said. What they said was, not only were [breached parties] noncompliant, but the source of noncompliance was related to the breach. So it wasn't because of something trivial - where they were noncompliant actually was materially important to the breach."
To a large extent, opinions about post-breach liability are rooted in the perceived roles of the different parties involved in preventative security - including the audits that businesses must undergo at least once a year along with a quarterly or monthly systems scan required as part of compliance maintenance - and the extent to which those audits provide assurance of compliance.
Conventional notions about the different roles played in ensuring security continue to be challenged, not least when Merrick Bank took the unprecedented step of suing a security auditor in May 2008. CardSystems Solutions Inc., which conducted card processing for Merrick's 125,000 merchants, had been certified Card Information Security Program (the precursor to the PCI DSS) compliant in June 2004, only to be breached several months later.
That lawsuit, which is ongoing, may hinge on the scope of responsibility that auditors can reasonably be expected to take on - in other words, the extent to which a system deemed secure at one point in time can be assured to stay that way.
"The challenge with compliance is, it's a point in time exercise," said Andy Bokor, Chief Operating Officer of Trustwave, an information technology security consulting firm.
"So from an assessor's standpoint, we can go into an organization and take a look at the profile of all the controls we need to look at, and at that given time they may have been satisfying those.
"But organizations are very dynamic ... if new [technology] gets added between compliance cycles, that's where you get some of the vulnerabilities that are exposed."
Bokor added that, while the roles of outside parties in security maintenance can be significant, ultimately "the onus is on the end user. It's their responsibility - it's their system, and they are the people doing the configuration. The auditor is really just there to do the white-glove audit."
Some contend, however, that many businesses, especially merchant stores, can do only so much to guarantee their own security, and the role of outside parties with more technical savvy and PCI knowledge is crucial - particularly the roles of acquirers, with whom merchants are most closely associated.
"Acquirers have a dual burden," said Paul Rasori Senior Vice President, Global Marketing for payment technology provider VeriFone. "One is to make sure all their merchants are compliant. And the second is they need to make sure they're PCI compliant themselves, because they're also storing and transmitting and capturing information."
"There's a lot of people to blame [for security weak spots]," Conway said. "And I'm going to start with the banks, and all the people that have done an absolutely appalling job of communicating PCI to the merchant community.
"... I don't blame the merchants for this. PCI is a reasonable set of safeguards that will protect the merchant, their brand and the merchant's customers, but the merchants simply aren't properly informed about it. And I'm using a broad brush because some of them I know are doing a great job, but I wish I saw more of it," he said.
Conway added that the PCI SSC "has done most of what it can as a standards body" to promote enforcement of PCI regulations, but that it "doesn't do any enforcing, and maybe that's the flaw in the whole model."
Indeed, the roles of different parties in security prevention mirror those in the post-breach scenario. Just as issuers cannot impose post-breach costs directly on merchants, the enforcement of PCI standards cannot flow directly from the top down; in both cases, the extent to which those who reside on the bottom of the chain are impacted depends on the role of a middle party.
Legally accountable or not, such parties will usually face consequences of some kind - reputational damage, outside criticism and the loss of merchants - when the merchants they are contracted with suffer a breach.
"Those who sleep with dogs get fleas," Fischer said. "Well, an acquirer that does not have a significant compliance program for their merchants ... is going to end up with fleas."
Many acquirers are finding, furthermore, that to avoid the tremendous burden of security breaches to their merchants, it is best to assume more of the burden for prevention.
"We're trying to come to market with a managed service that allows merchants not to have to worry as greatly about PCI," said Bill Clark, General Manager, Point of Sale Division for payment system solutions provider Apriva. "We want to be an advisory partner and to manage the networks.
"It's our opinion that helping the merchants be educated and, in many cases, offloading some of the work of staying vigilant helps them and really helps all of us in the industry."
Better technology on the horizon
Others say the quickest and most effective way to relieve the merchant burden is through better security technology that would limit the ongoing and complex procedural work required of PCI compliance - and there are indications the broader use of such technology is forthcoming.
In April 2009, the founders of the Secure POS Vendor Alliance, Rasori among them, marked the organization's official inception. The organization's aim is to address the industry's most pressing issues with data security, primarily with technological solutions that include, most prominently, end-to-end encryption.
"There's a big cry for something more definitive that takes the responsibility away from the retailer, and maybe even the acquirer, and that's referred to in the industry as end-to-end encryption," said Rasori, the SPVA Secretary and Treasurer. "Doing an encryption of the information before it even enters the retailer's system could potentially take it out of the scope of all retailers."
The PCI SSC appears also to be considering the use of new technology. In June 2009, it commissioned the security consulting firm PricewaterhouseCoopers to research new approaches to the adoption of security technology by merchants, processors and acquirers.
Meanwhile, after suffering one of the most high-profile breaches in recent years, Heartland is leading the way toward the use of end-to-end encryption, implementing the technology in-house and at the site of every one of its merchants.
Indeed, the Heartland situation could well symbolize the plight of the industry at large, which appears to be, slowly but surely, heading for changes largely compelled by the constant battering of a relentless criminal front - and the "rough justice" that so often results. As the Heartland case seems to demonstrate, sometimes getting dragged through the mud is the best impetus for change.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.