For most retailers credit cards are the primary form in which payments are made.  Accepting credit cards, however, carries significant data security risks and potential legal liability.  In addition to the normal repercussions of a data security breach – e.g., reputation damage, the risk of class action litigation, and the risk of a regulatory investigation – if a retailer’s credit card system is compromised the retailer may be contractually liable to its payment processor, its merchant bank, and ultimately the payment card brands (e.g., VISA, MasterCard, Discover, and American Express).  In many cases that contractual liability will surpass any other financial obligation that may arise from the breach.

Factors retailers should consider when preparing to respond to a credit card data breach:

1. Does your payment processing agreement cap or limit your contractual liability in the event of a data breach?
2. Does your payment processing agreement cap or limit your processor’s liability in the event that they suffer a data breach?
3. Do you have a contractual obligation to notify your payment processor or merchant bank in the event of a possible security breach?
4. Have the vendors of your point of sale equipment provided you with indemnification in the event of a breach caused by their equipment?
5. Is a reporting structure, and contact information, included in your incident response plan?
6. Are there any deficiencies identified in your organization’s latest “Report on Compliance.”
7. If you have cyber-insurance are there any exclusions that would impact its coverage for credit card related breach costs?
8. If you have cyber-insurance is there a sub-limit for Payment Card Industry (“PCI”) related liabilities?
9. Do you have a contractual relationship in place with a forensic investigator that is certified by the Payment Card Industry (a “PFI”)?
10. Do you have a contractual relationship in place with a forensic investigator that is independent of the Payment Card Industry?

1. American Express Merchant Regulations (April 2014); Discover Merchant Operating Regulations (April 2014); MasterCard Security Rules and Procedures (Feb. 2015); Visa Service Rules (April 2015).

2. Investopedia, “Equifax Hack: 5 Biggest Credit Card Data Breaches (Sept. 8, 2017), https://www.investopedia.com/news/5-biggest-credit-card-data-hacks-history/ (last searched Jan. 14, 2018).

3. Bryan Cave LLP, Bryan Cave 2017 Data Breach Litigation Report,  https://d11m3yrngt251b.cloudfront.net/images/content/9/6/v2/96690/Bryan-Cave-Data-Breach-Litigation-Report-2017-edition.pdf  (last viewed Jan. 14, 2018).

[View source.]