In my previous article, I explained that PCI non-compliant organizations can incur a wide variety of penalties because of the Merchant Agreements that they have in place with their banks. Such contracts are signed as soon as the organization accepts payments through credit cards, regardless of whether this payment processing is outsourced to a third-party service provider (TPSP).
However, organizations must also deal with two other categories of legal threats; regulatory costs arising from investigations and costs from class action lawsuits. We have discussed these in general terms in our blog post about the anticipated storm of litigation and compliance requirements and this webinar on the same subject. This post further analyzes the legal and compliance obligations and subsequent liability in the presence of a TPSP and the impact of PCI DSS non-compliance in this context.
In principle, as Zetoony and Stout note, “retailers are not shielded from liability by their card processor or device manufacturers in the event of a payment card data breach”.
They add that this is often part of the operating agreements: “The fine print in the contracts for these products or services usually includes a number of provisions that place the liability on the retailer”.
In other words, if you accept credit cards, you are responsible to consumers and relevant credit card brands for any data breach that may cause financial damage to those parties.
Subject to the contractual limitations, however, the defendant can also turn against other third parties to claim part of the damages that it paid out because of a breach.
In principle, however, the retailer first absorbs the legal implications of the data breach (e.g. class action exposure, regulatory fines and contractual penalties) prior to any third party obligation.
Allegations of negligence, breach of fiduciary duty and breach of contract, individually, or together, are common in class actions (for more information, see our webinar on “The Developing World of Cyber Litigation and Compliance”).
Negligence, which is the issue alleged in most data breach suits, is typically defined in terms of a failure to use reasonable care or simply conducting business in a manner that is not considered reasonable for a prudent organization.
Examples of this may include not being PCI DSS compliant or not having measures in place that are otherwise covered by this standard, as well as not acting diligently in either the selection or oversight of the TPSP (see section “Some Advices on Dealing with a TPSP”).
In other words, legal systems do not require PCI DSS compliance (it’s mostly a contractual requirement) but they do require diligence and in this regard and compliance to applicable standards is a critical indicator. Let’s not forget that the PCI DSS covers the security of the entire cardholder data environment (CDE), and not only the storage or processing of cardholders’ data. Many of the measures that are mandatory include actions that are otherwise required by most legal precedents to mitigate risks. An example of this is Requirement 12.10 regarding the incident response plan and the specific actions that must be taken in such cases.