Parent Page Home
Parent Page ARCHIVED PAGES
Parent Page Cyber & Breach Response Portal
Parent Page Issues
Payment card industry

Payment card industry

Under these rules, a business may be required to obtain (and pay for) a computer forensic audit (if they are suspected to be the source of a breach event), and also subject to fines, penalties and loss assessments should they be the source of an actual breach.

Illustration depicting a padlock and key

We’ve provided information for you to better understand the structure of the payment card industry and to better enable you to discuss payment card industry exposures with your clients.

You can also learn more at the PCI Council.

PCI loss exposures are based on a contractual liability rather than tort law. Contractual liability means that an entity has legal liability because they have agreed to accept responsibility as a part of a contract with another entity.

A contractual chain of liability

The card brands, ie. Visa, Mastercard, American Express contract with banks. They contract with issuing banks and merchant banks. The banks agree to follow the card brand operating rules and to accept liability for failures to follow these rules. A bank may contract with the card brands to operate a both a merchant bank and an issuing bank.

The chain of liability continue to grow

Following the card brand operating rules, issuing banks issue cards to consumers. Merchant banks, on the other hand, contract with merchants and processors to enable them to accept or process payment card payments. The credit card processors will, in turn, contract with merchants.

This is important, because the merchant banks will hold the processors and merchants that it contracts with liable for following the card brand operating rules. Processors will hold the merchants it contracts with responsible for following the operating rules. You can’t “get in the game” if you don’t agree (contractually) to play by the rules and accept certain liabilities.

PCI Data Security Standards

The most important contractual requirement is to adhere to the PCI DSS. These are the rules that require merchant banks, processors and merchants to maintain specific security requirements to protect card data from being stolen. The PCI DSS are complex. They cover 12 different areas and have over 200 specific requirements. Depending on the number of card transactions that they process each year, merchants must certify compliance with PCI DSS by completing a Self Assessment Questionnaire (SAQ) or by paying an outside auditor to complete a Report on Compliance (ROC). Importantly, the responsibility to remain in compliance with the PCI DSS is continuous. Merchants must be careful to remain in compliance at all times.

Other contractual requirements

In addition to the responsibility to be in compliance with PCI DSS, merchants also generally agree to the following:

Forensic audits: if the card brands suspect that the merchant may be the source of a breach, the merchant is required to obtain a forensic audit of their computer system by a computer security expert approved by the card brands. These forensic computer security experts are known as PCI Forensic Investigators (PFI). Such forensic investigations can cost well over $100,000.
Fines and penalties: if found to be out of compliance with PCI DSS, merchants may be subject to fines and penalties. Typically, these fines are between $5,000 and $50,000 each month the merchant is out of compliance.
Loss assessments: If the merchant is found to be out of compliance with PCI DSS and cards were at a risk of being breached, they may be subject to assessments to compensate issuing banks for the cost of issuing replacement cards to consumers as well as the cost of fraudulent charges paid to merchants but which cannot be collected from consumers.

Loss assessments may be significant. For example, The Houston Chronicle1 reported that Spec's, a Houston based liquor store chain, was assessed liability of $7.6 million for a breach event that occurred between 2012 and 2014.

1 "Spec's Sues Insurer Over Legal Fee Payments," Houston Chronicle, February 22, 2016.
The precise methodology used by the card brands is not disclosed, but the card brands generally determine the fines and loss assessments based on the number of cards potentially exposed as well as the length of time between the initial breach event and the termination of the breach based on the facts reported in the PFI Report.
The card brands use the PFI Report as the factual basis for determining fines and assessments. Once the PFI Report is issued, it is too late to introduce new evidence or new facts. As such, there is no basis for appeal based on the facts in the PFI Report being incorrect or incomplete. The only practical basis for appeal is a failure of the card brands to follow their operating rules and procedures. It is difficult to mount a successful appeal on these grounds.
The card brands have the ability to collect an assessment directly from the merchant's reserve account. The merchant bank is already holding the merchant's money and they just take it. If the merchant's account has
insufficient funds to pay the assessment and the merchant refuses to pay the assessment, or if the merchant fails to cooperate with any aspect of the process, they can have their ability to accept payment cards revoked.
Most breach events are first identified by the card brands by correlation between accounts experiencing fraudulent activity and the places those consumers used the card before experiencing fraudulent activity. When the card brands identify a merchant as a possible source of a breach, they issue a "Common Point of Purchase" (CPP) Report and require the merchant to obtain a computer forensic audit from a PCI approved computer forensic investigator (PFI). The PFI will determine if there is evidence of a breach and if the merchant is in compliance with PCI DSS.
Yes. The amount of exposure that each merchant has to a PCI loss is based on the number of card transactions processed and how the merchant processes those transactions. The more card data that a merchant handles and the more that such data is stored or transmitted through the merchant's computer system, the greater the amount of PCI risk.
Tokenization is intended to prevent the theft of the credit card information from storage on a merchant's computer system. Tokenization removes credit card data from a company's internal networks and replaces it with a unique placeholder known as a token. Should the "token" be wrongfully accessed, it will provide no useful information to criminal. Merchants use only the token to retrieve, access, or maintain their customers' credit card information. The actual payment card data is stored at a highly secure, offsite location.
A chargeback is demand by a credit-card provider for a retailer to make good the loss on a fraudulent or disputed transaction. Under the card brand operating rules, merchants must assume the full risk that a transaction is fraudulent or disputed when:

a card is not present in a transaction;

if the merchant is not able to accept an EMV transaction, for "card present" transactions; and,

for other transactions that otherwise are not completed in accordance with the card brand operating rules.

Under the above circumstances, if the consumer disputes the transaction, the merchant back will require the merchant to return the funds to the merchant back or "chargeback" the transaction. A merchant is not subject to chargeback liability by virtue of having a breach event.