Most risk managers are familiar with the complex web of considerations around data breaches. A host of well-known statutes, ranging from state laws to HIPAA, govern how organizations prepare for and respond to suspected exposures of protected health information (PHI). An entirely different set of standards and obligations exist around breaches involving payment card industry (PCI) data.
Most data breach laws cover the exposure of a name (or initial and last name) in conjunction with certain compromised information such as Social Security numbers or account numbers. In a payment card breach, however, the data exposed is often limited to credit and debit card numbers alone. It is a scenario that may not trigger notification or other requirements under data breach laws, but which still places a number of obligations on the breached organization under agreements with its bank, payment processor and payment card companies. Because much of the process occurs within the confines of the self-regulated payment card system, those companies that accept payment cards may find themselves facing mandates that are both onerous and expensive to follow.
When a business decides to accept payment cards, whether it recognizes it or not, it has agreed to a whole set of standards, rules and penalties that, to a certain extent, are unique to each card brand. The management of a security breach that impacts customer card data is one of the matters typically incorporated into agreements with a bank, payment card processor or other payment system equipment provider, via individual card brand operating agreements or rules.
If a card issuer spots what it considers to be a potential security concern, it will notify the retailer of the problem, often using a Common Point of Purchase report. This is a simple statement that indicates the business is believed to be a common point of purchase for a number of cards that have been found to have subsequent fraudulent charges. In what is essentially a “guilty until proven innocent” model, the retailer is then obligated to find out exactly why this is happening and prove its payment system is secure and not the cause of the problem.
In order to figure out what is going on, payment card brands require that a certified payment card industry forensic investigator be brought in to examine the potential breach. With only about a dozen firms servicing the entire United States, businesses have little ability to comparison shop. Keep in mind, too, that the cost to investigate payment card systems starts at $10,000 and goes up from there—even for a business that is ultimately determined to have suffered no actual security breach.
If the investigation reveals a security issue and the business is found to be out of compliance with PCI data security standards, penalties may be levied by the card brands in the form of various types of monetary reimbursements. The formulas behind these reimbursements are convoluted and difficult to decipher. For example, MasterCard’s second step in its Determination of Operational Reimbursement formula states, “MasterCard multiplies the number of at-risk accounts by an amount fixed by MasterCard from time to time.” Unfortunately, there is no further reference to where that amount may be found. Other potential reimbursements—including fraud recovery, investigation and other costs incurred by MasterCard related to the event—also contribute to how much the business will owe because of its breach. The final sum is paid into a pool to compensate other retailers that were left to deal with any resulting fraud.
The root of the problem is that unlike the potential imposition of fines by any applicable federal or state regulators, which are subject to due process, businesses that are assessed these reimbursement penalties by the card brands have little recourse. If the money is not paid willingly, the card issuers will simply contact the company’s financial institution and have the funds removed directly. Banks have even been known to tap into businesses’ overdraft protection to ensure sufficient funds are paid to the card issuer, and then go after the retailer itself for reimbursement.
Policy Coverage Hits and Misses
Because of the unpredictable (and usually expensive) nature of these assessments, insurance carriers are often prompted to exclude them from coverage. Many policies do have coverage for fines and penalties imposed by regulatory agencies, such as the Department of Health and Human Services or state agencies, but this is because there are known processes for how these monetary penalties can be appealed and disputed if they are not equitable.
Payment card assessments are problematic because, even though appeals can be filed, the retailer is appealing to the same entity (such as Visa or MasterCard) that calculated reimbursement amount in the first place. Unsurprisingly, the vast majority of appeals are not settled in the retailer’s favor.
Insurers recognize this rather backward and unwieldy system, and many have determined it is not in their best interest to subsidize the payment card brands through their insurance coverages. Carriers prefer to underwrite risks where they have legitimate avenues to contest a finding they believe is wrong. What’s more, the legal costs involved in fighting these assessments (almost always a losing battle) have the potential to be enormous.
Although assessments are not covered by most standard off-the-rack cyberliability policies, specialty coverages do exist. Unfortunately, it is much more expensive and thus out of reach for most small or mid-sized businesses. Larger firms may choose to spend the money for assessment coverage if they handle a lot of payment card transactions. These policies are not, however, something that will simply be added onto an average business owner policy. Instead, they need to be shopped through a specialty broker.
The potential for staggering financial outlays tied to assessments makes accurately evaluating risks regarding payment cards particularly important. Businesses should pay close attention to where and how protective measures are deployed around their payment card systems and any related physical equipment, such as card readers and in-store terminals. Known vulnerabilities, even if they present a relatively low risk, are best eliminated so that they are not available for exploitation.
One of the key ways to protect payment systems is to use updated technology. Unfortunately, many companies see investment in new point-of-sale and payment systems, which can be expensive, simply as an added cost and not as a means of controlling risk vectors that become more vulnerable the older the system gets. To counter this inclination, businesses need to start planning for payment system equipment replacement the day they purchase a new system.
In addition, most businesses have a “set it and forget it” attitude about their equipment once it is configured. They never touch it again and consider it a vendor responsibility. Performing regular security upgrades, patches and maintenance once a system is installed, however, is just as important to prepare for as planned equipment obsolescence. While using the latest payment card processing technology will not make a business bulletproof, it can easily help minimize issues of improper system failures and the like that can cause a payment card security incident.
Because the cost of monetary assessments by credit card companies could threaten a firm’s financial viability, a careful inventory of the safeguards already in use around payment card systems is a good place to start in evaluating potential risk areas. By maintaining a secure environment and understanding where weaknesses exist, businesses will be better able to protect payment card data and avoid costly penalties.