United States: Deeper Dive: Merchant Liability Arising From Stolen Payment Cards

For merchants, accepting payment cards is not really a choice. Many merchants, however, are unaware of how that "choice" subjects them to significant potential liability in the event payment card data from cards swiped at the point-of-sale is stolen from their payment network. Often casually (but incorrectly) referred to as "PCI fines and penalties," the contracts merchants sign with their acquiring bank/payment processor or directly with a card network impose an obligation to indemnify the acquirer/processor or card network from the expenses incurred by issuers of affected cards, including fines, fees, card reissuance, and counterfeit fraud.

2016 Data Security Incident Response Report

In last year's BakerHostetler Incident Response Report, we reported the range of PCI DSS non-compliance fines as $5,000 – $50,000 and the per card amount of liability imposed to reimburse issuers of affected cards as $3-$25. In this year's Report, the fine range remained the same, but the range of the initial demand for reimbursement of issuers broadened to $7-$65 per at-risk card. The median assessment was $30 per card, and the median number of total at-risk cards was 125,000. Relatively modest incidents affecting only a few hundred thousand cards can lead to millions of dollars in liability.

While non-compliance fines and case management fees might sting, the liability for operating expense/card reissuance and fraud is generally a much larger amount. When the investigation is complete, the card networks determine the cards they believe to be "at-risk" as a result of the incident and send alerts to the banks that issued those cards. Those issuing banks then have a short amount of time to let the card networks know which cards experienced counterfeit fraud during a time frame identified by the card networks. The card networks then calculate the amount of reimbursement for operating expense/card reissuance based on the card type and issuer size. This component of the liability assessment, after accounting for various deductions that occur, fairly consistently equates to approximately $1 per card. The fraud component, however, is highly variable. It is a function of how many cards were actually stolen, sold, and then used by someone to make a counterfeit card that is then swiped in a store to make a purchase compared against a so-called baseline level of expected fraud. For smaller incidents, as a practical matter, a greater percentage of at-risk cards are able to be used to make counterfeit purchases than when millions of cards are stolen. Thus, incidents with fewer than 500,000 at-risk cards generally have a wider range and tend to result in the highest per-card amounts.

Merchants who want to project potential scenarios and attempt to approximate the potential amount of liability they may encounter can conduct the following exercise. First, because it is common for a payment card incident to last for several months, if not longer, identify the total amount of card present transactions that occur over increments of three, six, nine, and twelve months (or longer – we have seen incidents that last for more than a year). Depending on the assumptions of how many repeat customers there are, apply a deduplication factor (e.g., 20%). Then use the table below of ballpark ranges to project potential liability based on the number of unique cards for each time increment.

Most incidents will have multiple variables that will influence how the amount of fraudulent charges that occurred on at-risk cards. Some of the factors can be influenced by the merchant during the response, such as how quickly the incident is identified and corrected. Perhaps the most important and effective impact a merchant can have on narrowing potential liability is by working with the forensic firm that is conducting the investigation (known as a PFI – a Payment Card Industry Forensic Investigation) to precisely identify at-risk accounts and avoid being subject to uncertainties that often lead to larger at-risk windows being assumed. For merchants with multiple systems and associated merchant IDs, there may be opportunities to identify some systems as not affected, thereby reducing the number of at-risk cards. For incidents that affect multiple locations, a detailed investigation often identifies locations that were not affected or affected for a shorter time frame. These efforts, however, are often highly dependent on having good forensic data available. Slow detection and deficient logging often leave a merchant faced with less favorable outcomes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.