You’ve probably heard the phrase, “You have to spend money to make money,” but what about, “You have to protect money to accept money”? The acceptance of credit cards is a critical and necessary function for any business. In order to reduce the cost around compliance, the vast majority of small and mid-sized companies process and store credit card payments by way of a third-party payment processor. Yet contrary to popular belief, the outsourcing of payment processing to any third-party neither negates a company’s PCI DSS responsibilities nor shields it from an assortment of legal liabilities. As this article will explain, a payment card data breach of any company not in compliance with PCI DSS opens up pandora’s box to an assortment of legal calamities.
WHAT IS PCI DSS, ANYWAYS?
Created by the five payment brands (American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc.), PCI DSS stands for the Payment Card Industry Data Security Standards. While not de facto law, the Security Standards are technical requirements that govern the appropriate security posture for any entity who stores, processes, and/or transmits cardholder information. According to PCI, processing is just another word for acceptance. Practically speaking, this means any company who accepts credit cards as a form of payment must adhere to PCI DSS. On top of that, the use of a third-party payment processor does not exclude the need for a company to be PCI DSS compliant. As explained by the PCI Security Standards Council, “Outsourcing simplifies payment card processing but does not provide automatic compliance.”
The repercussions for merchants who suffer a payment card data breach are far-reaching and significant. For one, breached merchants almost inevitably incur the cost of hiring a PCI Certified Forensic Investigator. Stipulated in the specific payment brand’s operating rules is the requirement that a breached merchant retain a PCI council approved forensic investigator. Not only does the merchant foot this bill, but the merchant agrees to turn over the investigator’s findings to the applicable payment brands. The merchant’s breach also gives rise to costs associated with providing notification to those affected — a time and financially intensive process. Last but not least, a merchant’s breach gives rise to a host of legal liabilities arising out of third-party claims — from contractual violations to class-action lawsuits — as evidenced by the Schnuck Market litigation.
Schnuck Markets (“Schnucks”) is a large Midwestern grocery store chain. In 2012, Schnucks suffered a breach after hackers stole the data of 2.4 million credit and debit cards. The fallout from the breach implicated the entire cast of characters involved in Schnucks’ payment processing: Schnucks, the merchant; First Data Merchant Services, Schnucks’ payment processor; Citicorp, the acquiring bank; Visa and Mastercard, members of the Card Network Association; and Community Bank of Trenton (among others), the issuing bank(s). To adequately understand the different roles and functions each of these parties played in the scope of Schnucks’ payment processing, look no further than the Eighth Circuit’s straight-forward explanation:
“First Data served as Schnucks’s credit card processor. Citicorp served as its acquiring bank. When a merchant such as Schnucks makes a credit card transaction, the acquiring bank pays the merchant and is reimbursed by the bank that issued the credit card (the issuing bank). The acquiring bank sponsors the merchant into credit card association networks, in this case Visa and MasterCard (the Associations), and vouches for the merchant’s compliance with the Associations’ rules. The Associations’ rules provide that the Associations may issue fines against the acquiring bank in the event of a cardholder data breach and assess against the acquiring bank the costs of monitoring or cancelling at-risk cards and the amount of fraudulent charges on the at-risk cards.”
Integral to the relationship between all the aforementioned parties was a series of contracts. These contracts governed the responsibilities of each party and outlined remedies in lieu of violations. In its decision to participate in the card payment system, Schnucks contractually agreed to abide by PCI DSS and be on the receiving end of assessments and fines from the card networks in the event of a data breach.
This agreement between a merchant and its payment processor (and sometimes also the acquiring bank) is typically referred to as a Merchant Agreement, or in this particular instance a Master Services Agreement. Located in the Master Services Agreement was a provision in which Schnucks agreed to share in the liability relating to the losses suffered from the breach — losses born by First Data as its payment processor and Citicorp as the acquiring bank. Because of the breach and the fines levied by Mastercard and Visa on First Data and Citicorp, Schnucks paid $500,000 to First Data per the Master Services Agreement. First Data and Citicorp actually tried to withhold more of Schnucks funds, but the Eighth Circuit affirmed a lower court’s ruling that held the Master Services Agreement contained imprecise language. See Schnuck Markets, Inc. v. First Data Merch. Servs. Corp., 852 F.3d 732, 735 (8th Cir. 2017). Even with the favorable ruling, this wasn’t the end of Schnuck’s legal troubles.
Four issuing banks brought a class action suit against Schnucks as an attempt to recoup the costs associated with reissuing new credit cards and protecting customer cardholders. The Court affirmed a lower court’s dismissal of the case. Case victory aside, it’s important to note that Schnucks was once again the subject of costly litigation that lasted almost two years and reached the Seventh Circuit Court of Appeals. See Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803, 808 (7th Cir. 2018). When you factor in the cumulative costs associated with breach remediation, repayments pursuant to the Master Services Agreement and legal fees, Schnucks paid a heavy price.
IMPORTANT CONTRACTUAL TERMS IN MERCHANT AGREEMENTS
Standard in almost every Merchant Agreement between a merchant and payment processor are two provisions of particular importance that typically go hand in hand. These provisions cover (i) the incorporation of PCI DSS and (ii) indemnification. With regards to the former, Merchants contractually agree to abide by and follow “all applicable rules and regulations of payment networks related to cardholder and transaction information security including, without limitation, the Payment Card Industry (PCI) Data Security Standard.” When a breach occurs and a merchant is found noncompliant with PCI DSS, payment processors and acquiring banks are quick to assert a material breach of the contract.
Moreover, this promise to adhere to PCI DSS speaks directly towards a merchant’s agreement to “indemnify and hold [payment processor and acquiring bank] harmless from any fines and penalties issued by Visa, Mastercard, or any payment network, and any other fees, costs, and related losses arising out of or relating to the processing of transactions by [payment processor and acquiring bank] at Merchant’s location(s) and the failure of Merchant to comply with PCI DSS and the rules and regulations of the payment networks.” This concession to shoulder liability is just one cost of doing business that many unsuspecting merchants remain completely unaware of.
PCI compliance goes a long way towards the mitigation of future risks. Although payment processors may have significant leverage over small and mid-sized shops, business owners should nonetheless consult an attorney in evaluating the fine print of the governing contract(s). Merchants need to understand the terms of agreement before they can adequately assess costs, benefits and risks. As the late Carrie Fisher once said, “Everything is negotiable. Whether or not the negotiation is easy is another thing.“