GS Logo
The Green Sheet, Inc

Please Log in

A Thing

Rules and Fines: The Cost of Cardholder Data Security Breaches

By Ken Musante

Cardholder security is everybody's business. When a breach makes headlines, it only reinforces the concerns of those who opt not to use their cards for fear of a breach occurring.

A few years back, the card Associations introduced rules and a fine schedule designed to transfer the financial burden of a breach from the issuing bank to the acquiring bank. Regardless of whether someone thinks that the rules and fine amounts are fair, they are so significant that sponsorship fees will radically increase and the number of principal members willing to sponsor ISOs and third parties will radically decrease.

The Associations introduced these changes as a result of an increasing number of breaches and cardholder compromises. A few years ago, the cost of dealing with a breach and account number replacement fell squarely on the issuer.

The Associations' reputations took a hit with every breach, but the direct cost fell on the issuers, which had to reissue the plastic, transfer balances and follow up with cardholders to confirm that pending transactions were posted correctly.

Inevitably, some reissued cards are stolen from the mail and others are permanently removed from the cardholder's wallet. Reissuing cards is expensive and requires time-consuming cardholder inquiries. Acquirers were not sharing the burden.

Associations Introduce SDP and CISP Fines

In an attempt to shift liability to the acquiring side, each card Association developed its own program. MasterCard International's is the Site Data Protection (SDP) program and Visa U.S.A.'s is the Cardholder Information Security Program (CISP). The Associations also couple severe fines with their rules.

The fine schedule allows MasterCard to fine acquirers up to $500,000 plus up to $25 per card. The fee varies depending on the issuer-submitted responses, the action each issuer took and its cost for that action. Visa has fines of up to $500,000 plus compliance rules that allow the issuer to charge back items purchased with the breached card numbers.

Both Associations have fine schedules that could bankrupt a principal member sponsoring a large ISO. Worse, there is no way to guarantee that a sponsored organization will not be hacked.

If a business is found compliant with the rules and a breach occurs, then the rules offer a safe-haven provision. But, how can a business ever be certain that it or its sponsored entity will not be hacked? If its sponsored entity is hacked, how can the business be sure it was in compliance at the time of the hack?

A $2 billion annual portfolio could easily contain more than 30 million card numbers (12 million of them being MasterCard-branded cards). Should a breach happen, a member could reasonably expect a $500,000 fine plus a reissuance fee per card.

I would conservatively estimate the reissuance fee is $5 per card (although, I've heard anecdotally that the actual fee is $8 per card). That equates to a fine of more than $60 million before adding any Visa fines.

While seeking to mitigate this risk I have been denied insurance coverage for the purpose of covering fines. I've also been advised that insurance is not available for Visa and MasterCard fines.

Given the example of the $2 billion portfolio and the going rate of a BIN sponsorship at $0.02 per transaction, the member would make $533,333 over the course of a year for assuming a liability in excess of $60 million.

Typically, in an ISO sponsorship deal, the ISO owns liability for any fees and fines. This makes sense because the ISO gains the lion's share of the revenue and builds an asset base. Yet it is the member and only the member that faces the fines.

In the example provided, the member must first accrue the estimated fine and then wait for the Associations to calculate the fine and pass it to the ISO. Unfortunately, in my experience, it could take the Associations up to two years to determine the actual fine.

Because the member should estimate and accrue the expense at the time realized, the member/ISO contract either must contractually require the ISO to pay the fine at the time accrued (difficult at best) or the member must carry the expense and hope to collect from the ISO when the fine is assessed some two years later.

I know the information provided is convoluted to say the least. I have numerous suggestions on how to improve the rules while still placing the financial burden and risk where it belongs. Regardless of my beliefs, these are the rules as they exist today.

I have a long history as a sponsor bank for several large ISOs. I believe sponsorship pricing is far too low relative to cost. The amount of $533,333 is not nearly enough to support a risk of $60-plus million.

Should a breach of this magnitude occur, the member bank will face inevitable lawsuits and inquiries from Visa, MasterCard, Discover Financial Services, American Express Co., Office of the Comptroller of the Currency, Federal Reserve, Federal Deposit Insurance Corp., Federal Bureau Investigation, Secret Service, various debit card networks, and the individual Attorney Generals from each state.

Why would a sponsor bank risk so much for so little gain?

No entity can assure itself that it will not be hacked; it is equally difficult to ensure that an unrelated third party follows the Associations' rules so that if a breach occurs, the fines will not be enforced. Given that and the potential of unlimited fines, I see sponsorship costs spiraling upward and the number of banks providing sponsorship dwindling.

My advice: ISOs sponsored into a BIN relationship should lock in their long-term rates now. Financial institutions should make sure they make enough from each transaction to cover the risks they incur. Ken Musante is President of Humboldt Merchant Services. E-mail him at .

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Back Next Index © 2005, The Green Sheet, Inc.