The Green Sheet Online Edition
March 24, 2008 • Issue 08:03:02
State security laws loom
Just as acquirers and ISOs recover from some of the more dramatic security breaches over the last couple of years, state lawmakers have been implementing new regulations to protect consumer interests in the event of security violations.
ISOs and merchant level salespeople (MLSs) should be aware of laws that may apply to them. It may be to the advantage of sales reps and their merchant clients to know how to control their liability under these new laws.
California, with the Security Breach Information Act, is the leader among states with new regulations. This law requires notification to all consumers whose computerized personal information was, or is, reasonably believed to have been obtained by an unauthorized individual or entity.
The type of compromised information that will trigger letters sent to consumers varies from state to state. For example, some states do not require notification if the stolen data was in paper format only, while others specify that notices should be distributed for any type of breach.
Many states require announcements from credit bureaus when a certain number of private informational items have been compromised.
Some states enable consumers to benefit from a credit freeze or credit alert that would hinder a potential fraudster from running amok with a cardholder's personal information.
Minnesota went so far as to create a law that makes merchants responsible for reimbursing credit card issuers for the notification and re-issuance costs that result from a breach of security at the merchant location.
This type of regulation is nothing new. Holding merchants accountable for security breaches has been a part of the card Associations' rules for some time now. The regulation also mirrors some of the classic Payment Card Industry (PCI) Data Security Standard (DSS) principles, such as limitations on mag stripe data retention.
What follows are a few tips for merchant acquiring businesses to help them control some of their exposure to liability under these various laws.
1. Know your contractual exposure. Every ISO agreement should allocate liability for merchant and bank security breaches and the resulting association or state fines to one of the parties named in the agreement.
Given that most of these laws are relatively new, many ISO agreements do not clearly designate liability, leaving both parties with the disadvantage of ambiguity.
It is recommended that ISOs confer with their processors or banks to discuss who carries liability for merchant or bank security breaches and how allocations should best be put on paper.
A simple paragraph addendum to an existing ISO agreement can settle the issue, and reasonable and responsible processors should welcome clarifying this point with their ISOs.
2. Study statutes. Many ISOs operating across state lines solicit merchants in multiple geographic locations. Research the laws applicable in all the states where you do business.
You might be surprised by what you learn. The trend toward more legislation on security matters will only increase as data storage capacity and speed of communication correspondingly increase the risk of security breaches.
3. Educate and monitor merchants. Whether or not you take on liability for merchant security breaches, it is a sound ISO and MLS practice to educate and monitor merchant PCI and general security compliance.
For example, if you are signing a merchant with a POS system capable of storing mag stripe information, take a minute to query the merchant (and perhaps the suppliers of the hardware and software) to see whether the tool and its software are PCI compliant and can withstand a hacker attack, or outright theft of the hard drives, without triggering a security issue.
4. Protect with encryption. You don't have to be a security expert to know that whenever cardholder data is stored it must be encrypted.
That way, if the computer on which the data is stored gets physically stolen, the thief will have a hard time using any of the data on the hard drive because it was encrypted.
That being said, many talented security and PCI compliance experts and consultants in our industry are ready to educate ISOs and MLSs on security measures that they and their merchants need to take.
5. Security is business. In a slowing economy, the search for new sources of income naturally intensifies. Security compliance has become a significant and reliable revenue stream in the bankcard acquiring business.
Look no further than a merchant statement with a PCI compliance fee to know that acquirers, processors and ISOs have an opportunity to make a few dollars amid all of the hullabaloo over security.
As an ISO or MLS, make sure you get your fair share of the added revenue from security compliance.
Personal information, such as cardholder information, is a hot potato issue; neither merchants nor ISOs should be collecting, storing or disclosing private account data without implementing the proper security measures.
Remember, your first source of guidance on security is the institution that has sponsored or enabled you to become an ISO or MLS.
That being said, not all institutions are equipped or willing to educate their ISOs in security compliance rules. Thus, ISOs and MLSs have an obligation to educate themselves in order to avoid costly and potentially devastating surprises.
As the industry continues to grow and evolve, governments will invariably see a greater need to create new laws that ensure the payments environment is secure and safe. And with regulations come complexity and, often, confusion.
Take the time to know and understand every detail in your merchant agreement, and clearly state who will be responsible if a breach should occur. As the old saying goes, an ounce of prevention is worth a pound of cure.
In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If you require legal advice or other expert assistance, seek the services of a competent professional. For further information on this article, e-mail Adam Atlas, Attorney at Law, at firstname.lastname@example.org or call him at 514-842-0886.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.