The Green Sheet Online Edition
November 26, 2007 • Issue 07:11:02
Liability limbo: Where will you land?
With all the talk of Payment Card Industry (PCI) Data Security Standard (DSS) compliance, something has to be said about who carries liability for security breaches. There are various kinds of security breaches that may lead to liability in our industry.
The most common breaches occur at merchant locations. A less prevalent, but more direct kind of breach occurs at ISO or merchant level salesperson (MLS) locations. The most serious kind of security breach occurs at the processor or bank level.
It's not worth talking about security breaches at the bank or card Association level because I doubt the card Associations would impose fines or penalties on themselves for such breaches.
Tips to the wise
Here are tips to keep in mind when thinking about your liability for security breaches:
- Fortify your turf: Security begins at home. Whether or not you collect private personal information, pricing information, cardholder data or other sensitive information, if you are a business in the payments market, develop and adhere to security practices within your organization.
For example, suitable firewalls and password protection on computers and locked filing cabinets are basic common-sense precautions every business in our industry should adopt.
One reason for implementing security procedures, even when you do not collect sensitive information, is so you are prepared should you inadvertently begin collecting such data.
- Stifle data collection: Cardholder data, private personal information, bank account numbers and other sensitive information, whether it be financial or otherwise, are liabilities.
Consequently, you should severely restrict your collection of this kind of information.
It is tempting to create merchant application forms that are extremely thorough and help develop an understanding of merchants for underwriting purposes.
However, you should never collect information that you do not absolutely require; possession of that information is an unnecessary liability.
- Plan for destruction: To the extent that you must collect sensitive information, develop a policy by which you will destroy it as soon as you have made use of it.
I would not be surprised if there are thousands of filing cabinets and computers around the nation stuffed to the brim with confidential information that is of no use to the people holding it.
Select documents and information you no longer require, and destroy them. Document destruction involves more than just putting paper in the trash.
Paper should be shredded, computer hard drives should be scrubbed clean by an expert, CDs holding data should be erased and shredded, and so on.
But make sure you do not destroy information your acquiring organization may oblige you to store.
- Allocate before you sign: Apart from ordinary civil or criminal liability you may have for loss or misuse of cardholder or other personal information, a growing number of ISO and MLS agreements provide for an express allocation of liability for security breaches in the ISO or agent shop.
Determine what that allocation of liability is in your existing ISO agreement and for any new agreement before you sign it.
Generally speaking, an ISO or MLS will be liable for breaches that occur in premises that are under its control.
- Beware of merchant breaches: Unfortunately, ISO liability for a merchant security breach often hits the merchant and the ISO by surprise.
Having to replace POS equipment and software and potentially losing merchant accounts are damaging enough for merchants and their service providers.
However, the banks and card Associations have developed a matrix of formulas that result in considerable fines to merchants for breaches of security in their systems.
On a broad interpretation of an ISO agreement for which the ISO takes liability, that liability may very well include security breaches at the merchant location.
Examine your ISO agreement to find out what would happen if one of your merchants were liable for fines because of security breaches and the merchant were unable or unwilling to pay those fines.
In many cases the ISO or one of the ISO's agents may be liable for them.
Talk to your acquiring organization and ask for clarification about the quantity of such fines and how they are calculated. The calculation of fines for security breaches is often shrouded in secrecy.
- Keep tabs on software: The greatest single cause of security breaches that lead to fines is outdated merchant POS software.
If your merchants operate POS systems that use software, make sure the software is up-to-date and PCI compliant.
You would be amazed at how many merchants use POS software that is obsolete and completely noncompliant with the PCI DSS.
Whether or not you carry liability for merchant security breaches, it is very much in your interest to educate merchants on the necessity of PCI compliant software.
Unfortunately, some software providers do not take the initiative to make sure their customers are running the most recent versions of their software.
I'm surprised POS manufacturers continue to allow software providers to install software on their equipment that is not PCI compliant.
If the manufacturers were to intervene to prevent outdated software from being installed, many breaches could be avoided.
You might even develop a form that your merchants could complete to remind you and them as to what version of software they're using and whether the supplier of that software has confirmed that it is, in fact, PCI compliant.
ISOs and MLSs are not necessarily required to know all the fine details of the PCI DSS. However, everyone in our industry should know the importance of PCI compliance for merchants who handle cardholder data and other parties to which the standard applies.
In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or otherprofessional services. If you require legal advice or other expert assistance, seek the services of a competent professional. For further information on this article, e-mail Adam Atlas, Attorney at Law, at firstname.lastname@example.org or call him at 514-842-0886.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.