ur industry's flavor of the year is data security. And rightly so. When cardholder information is compromised, everyone is affected. Banks, processors, ISOs, agents and merchants all have a vested interest in protecting the security of cardholders and merchants.

In the course of negotiating recent ISO and merchant level salesperson (MLS) deals, I've noticed some processors attempt to pass liability for security breaches on to ISOs and MLSs, even when breaches occur at merchant locations. I recommend ISOs and MLSs not assume this kind of liability without first considering the following eight points:

1. What's in it for you?

If you are an ISO or MLS, and you are asked to be liable for a security breach at a merchant location, you should expect something in return. You are familiar with factoring liability for chargebacks and other merchant losses into pricing. But liability for security breaches at merchant locations is more difficult to determine.

Calculating the cost to you of assuming security-breach liability involves the number of merchants, volume at each merchant location, extent to which cardholder data is stored and a long list of criteria by which merchants may or may not protect data. (These criteria are best summarized in a Payment Card Industry [PCI] Data Security Standard. )

If you are asked to assume liability for merchant security breaches, shop for insurance for that same liability. It should give you an idea of the ballpark figure you should charge the processor.

2. You might be liable without knowing it

Most liability deals for ISOs and MLSs say something like "ISO shall be 100% liable for all merchant chargebacks, fraud and other losses under merchant agreements." ISO liabilities are sometimes referred to as uncollected losses, because they are losses the processor has incurred and has been unable to collect from the defaulting merchant.

Contracts are often unclear about whether a security breach at a merchant location is included in the standard bucket of uncollected losses. If you have a liability deal, and one of your merchants has a security breach, don't be surprised if the processor looks to recoup some of its losses from you.

I am not saying this would be a fair or even legally correct interpretation of your ISO agreement. I am saying only that processors are likely going to turn to their with-liability ISOs to recoup some losses due to data security breaches.

Next time you are negotiating an ISO or MLS deal, discuss who will carry liability for data breaches at merchant locations, as distinct from liability for traditional losses such as chargebacks.

3. Data in your shop is your responsibility

To the extent that you store confidential or sensitive information, you are responsible for its security. So, even if you have a no-liability ISO deal, and you are protected from liability for breaches at merchant locations, nothing can really protect you from breaches that occur within your own organization.

For this reason, always limit the amount of confidential transaction data in your possession. Also limit the number of people who have access to it. Even if you are not expressly required to be PCI compliant, it is in the interest of any ISO to be as close to PCI compliant as possible. A lot of the requirements are common-sense security policies that most of you (hopefully) already have in place.

4. ISOs should never handle cardholder information

I am always shocked to learn of ISOs that handle cardholder information. Think of this information as radioactive material: You never want it in your hands or anywhere near you.

Most gateways and processors already have policies in place to prevent ISOs and MLSs from coming into contact with cardholder information. But you are the best safeguard against becoming "contaminated." Do not hold this type of volatile data.

5. Proximity matters

As you consider how much liability you are prepared to assume, consider the extent to which you are involved in the day-to-day security of your merchants. Chances are your involvement is next to zero. Many ISOs and MLSs have never even visited many of their merchant locations, much less carried out an audit of their security systems.

It is always preferable to assume liability for matters over which you have some degree of control. Being liable for security breaches in your own company makes sense. Being liable for security breaches at a merchant location you have never visited seems a bit like betting your assets on a roll of the dice.

6. Where there is fear, there is insurance

Insurers are cashing in on the frenzy over security by offering insurance for data security breaches. If you assume liability for such breaches, consider requiring all merchants who sign with your processor or bank to buy insurance for data breaches, naming you or the processor as the beneficiary. Discuss this with your processor and acquiring bank before taking action.

7. Liability has limits

Fortunately, security breaches sometimes look more damaging than they are. The theft of 10 million credit card numbers doesn't necessarily mean all of those numbers were used for fraudulent transactions. When contemplating liability for a breach, keep the actual harm it has done in perspective.

Needless to say, the potential for a data breach to cause damage, even at a small merchant location, is enormous.

8. Check out your local state law

State laws affect the obligations of parties that are victims of data security breaches. For example, some statutes require that all cardholders be informed of any breach involving their credit cards or other personal information.

When a breach occurs, not only must you comply with local state law, but you also need to notify law enforcement agencies. Many breaches constitute criminal offenses.

Electronic payments are on the rise. This is a good thing. However, the rise carries with it an ever-increasing risk of compromises in data security. When they occur, such compromises can cause substantial losses. You should know to what extent those losses will come out of your pocket.

In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If you require legal advice or other expert assistance, seek the services of a competent professional. For further information on this article, e-mail Adam Atlas, Attorney at Law, at atlas@adamatlas.com or call him at 514-842-0886.