PCI – What is it?: We can only begin to imagine the losses, liability and other consequences resulting from unauthorized access to credit card information, which, unfortunately, happens all the time. To attempt to deal with this problem, the credit card industry developed the Payment Card Industry (PCI) Data Security Standard (DSS) or PCI DSS to ensure that companies that process, store or transmit credit card information maintain a secure environment. Compliance with these standards is required of all merchants authorized to accept credit card payments. In 2006, the major credit card companies (Visa, MasterCard, American Express, Discover and JCB) created the payment Card Industry Security Standards Council (PCI SSC) to manage the ongoing development of the PCI DSS. However, the credit card companies and not the PCI SSC, are responsible for enforcing compliance. For those interested and brave enough, a copy of the PCI DSS can be found here. It is important to note that PCI compliance, for the most part (more on that later), is not law.
Scope of Obligation: Using a third party to process, store or transmit credit card information does not remove a merchant’s obligation to comply with PCI DSS for these functions. Therefore, the merchant is responsible to see to it that the third party providing these functions is compliant, or face the consquences. Section 12.8.2 of PCI DSS requires a merchant to “[m]aintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.” Merchant’s can’t assume that third party vendors are PCI compliant. Also, don’t assume that if your site has SSL certificates that you are compliant with PCI DSS. Remember, all service providers that touch, manage and/or store a merchant’s credit card information are the direct responsibility of the merchant.
The Consequences Of Non-Compliance: If a merchant is non-compliant and there is a breach of its (or of its third party vendor’s) system, then the merchant bank will do any or all of the following: (1) terminate or suspend the ability of the merchant to accept credit payments until compliance is achieved (which could result in potentially devastating losses of income for an online business), (2) charge the merchant for the cost of reissuing credit cards and other incidental expenses (also a large out of pocket expense), (3) require the payment of an escrow to insure against claims based upon fraudulent use of the breached credit card information, and (4) impose fines.
Becoming Law?: As an aside, I mentioned above that PCI compliance is not law. While that is generally true, both Nevada and Minnesota have incorporated PCI DSS into their personal information security laws. Accordingly, if doing business in either of these states, a business collecting credit card information is required by state law to be PCI compliant.
What Should a Merchant Do?: The bottom line is that merchants cannot shift the primary obligation of PCI compliance to service providers. Credit card companies will always hold the merchant primarily responsible for compliance and any breaches. However, the merchant has the ability to mitigate its risks. The two ways available to mitigate the risk are insurance and contractual provisions in the service provider agreements. For insurance, contact your agent. However, below are suggestions for how to place responsibility and liability for compliance on the service providers. Of course, these suggestions should be drafted, negotiated and implemented by an attorney experienced in this area of law.
- Review merchant bank and card processing agreements in order to identify the merchant’s compliance requirements.
- Assess risk posed by service provider by evaluating (1) transaction volume, (2) whether the service provider’s system been independently assessed for security, and (3) whether the service provider has an incident response plan in place to mitigate harm to merchant from a security breach.
- Negotiate provisions in provider agreement that obligate the service provider to conform to the merchant’s compliance requirements, and to maintain other risk mitigation procedures and policies (which can include reporting, audits and assessments).
- Assess and negotiate remedies for non-compliance, such as indemnification, penalties, and termination.
- Require service providers to maintain adequate insurance and list merchant as an additional insured.
Note: If possible, many of these requirements are best raised at the time of an RFP – otherwise, if a merchant waits until contract negotiations, it will be at a disadvantage.