A Q&A with David Navetta of Information Law Group
The Payment Card Industry (PCI) Security Standards Council Data Security Standards (DSS) were established in 2006, but that’s only one piece of the payment card liability puzzle. Merchants are also held to card brand rules via their merchant and other contractual arrangements with merchant banks or the card brands. I spoke with Dave Navetta, a founding partner of InfoLawGroup LLP, about the types of consequences retailers can face during a data breach.
In general, there are two types of costs that merchants can be liable for in the wake of a payment card breach
Can you break down the payment card liabilities for merchants that sustain a data breach?
In general, there are two types of costs that merchants can be liable for in the wake of a payment card breach: fines and penalties is the first, and the second category are loosely referred to as “assessments.” Fines and penalties are punitive in nature—they are levied for failure to comply with card brand rules and regulations as well as for PCI noncompliance.
Assessments, on the other hand, are amounts intended to compensate the card issuing banks whose cards have been stolen as a result of the breach, since they are the entity that ultimately incurs the loss related to lost or stolen cards.
There are two types of assessments:
- Operating expense recovery: This is for the cost issuing banks incur for reissuing cards and dealing with customers in the wake of the breach. Visa, for instance, allows for an operating expense recovery or $2.50 per breached card.
- Fraud recovery expenses: These cover the actual money lost through fraud perpetrated with respect to breached cards, and they can vary wildly. In any given card breach, at the outset, it’s unknowable how much fraud is perpetrated on a particular card. Breached merchants only discover the fraud amounts after the card brands and issuing banks tabulate the fraud related to breached cards – this can take several months after a breach has occurred.
Can you explain how a merchant that sustained a payment card breach event might be issued a fine, penalty or assessment?
It’s important to note that card brands are not fining or levying assessments against the merchant directly—except American Express, in some cases. Rather, the merchant bank with whom a merchant has a relationship is initially financially liable for these costs, but will then pass them along to the merchant under the terms of the merchant agreement between the bank and the merchant.
When it comes to assessments, the card brands each have their own criteria and they’re separate from the PCI compliance standards. For instance, under Visa’s rules, only security breaches involving 15,000 or more Visa cards qualify for assessments. That means an event with even 14,999 cards and a $10 million loss won’t be considered a liability for the merchant bank or merchant
It would seem that the amounts involved are arbitrary. How are fines, penalties and assessments calculated and how much can you be liable for?
The amount for fines and penalties is always at the discretion of the card brand, and it will vary, based on whether it’s the first violation, what level the merchant is—the card brands categorize merchants according to the sales and number of transactions—and whether the merchant takes steps to remediate the issue. I have also heard of instances—though this is not on paper anywhere—of lower penalties in cases when the merchant ”self-reports” a security incident. In general, the cost can range from $2,000 to $25,000 for fines or penalties, and sometimes card brands will continue to fine or penalize the organization for PCI noncompliance until it establishes compliance. The card brands also have the ability to levy much higher fines and penalties if merchants fail to cooperate or if their violations of the card brand rules are egregious.
For assessments, the amount is dependent on the number of cards breached, which is a big factor in operating expense recovery. If you can prove the breach was smaller then you have lower exposure for those costs. The same rationale is used for fraud recovery expenses – the less cards that are considered breached the lower these costs can be.
As with fines and penalties, the card brand rules will dictate the exact figure for assessments. Visa, for instance, assumes a certain amount of baseline fraud on a day-to-day basis, so they deduct a percentage from the breach amount. Another factor is if a card has been reported in a previous breach within 12 months prior to the breach at issue, Visa will take that card out of the equation. Finally, Visa will allow for a catastrophic cap for smaller businesses if the assessment amount is likely to put them out of operation.
There seems to be a discrepancy between the official fines posted by PCI and the amounts reported in the press, as in the Genesco case, where the press claimed the cost was $13 million. Can you explain this?
Most likely the $13 million figure includes the fraud amounts, and that’s really the wild card. PCI fines in and of themselves typically don’t go up to that level.
The very concept of PCI —a private standard of care with contractual penalties attached—makes it a challenge for many insurance professionals and risk managers to understand, but Dave did a nice job laying out a summary of this very real business exposure.
And yet, publicly reported data on these cases is scarce, which might be a source of frustration to our actuarial friends who, ahem, actually care. Another case example is Global Payments, Inc., which reported a 2012 PCI-related hacking breach that resulted in a loss totaling $93 million, of which approximately $35 million was for “fraud losses, fines and other charges that will be imposed by the card networks.”
As a final note, a reminder that even if a company is 100 percent PCI compliant and validated, it may not prevent a future data breach from occurring. We see this all the time: Compliance does not equal perfect security. Moreover, a breach can result in the following possible losses for a retailer/merchant, according to the PCI compliance organization:
- $50-$90 fine per cardholder data compromised
- Suspension of credit card acceptance by a card brand
- Possible civil litigation from breached customers
To learn more about PCI fines/costs, please see your cyber liability insurance company’s eRiskHub® to access their NetDiligence® Data Breach Cost Calculator, which includes estimated PCI costs. Also visit Junto to read more about the new PCI 3.0 standard.