Leadership Laboratory
- Leadership Lab: Information Technology and the Law
This series of essays explores the many aspects of technology law relating to computer and information security.
Let Credit Card Industry Allocate Data Security Risks by Negotiation - March 12th, 2007
Data Thefts - Give the Public the Disclosure It Seeks - March 22nd, 2007
Network Neutrality - Updated July 3rd, 2007
Can Cyber Criminals Consent to Being Watched and Foiled? - May 14th, 2007
The Dangers of Too Much Data Privacy - May 28th, 2007
Assembly Bill (AB) 779 Suffers from Sloppy Draftsmanship - October 12th, 2007
New Merchant Liability for Losing Credit Card Data - June 14th, 2007
ChoicePoint Marked New Era in Data Security Law - May 31st, 2007
New Merchant Liability for Losing Credit Card Data
June 14th, 2007
By Benjamin Wright, JD
The Minnesota Legislature has shaken up the ecosystem in the credit card industry. It has enacted legislation that shifts the rules and risks associated with the protection of credit card data. The new law gives Minnesota merchants a bit less incentive to accept credit cards as payment.
Minnesota’s new law comes on the heels of history’s largest credit card data security incident. TJX Companies, a major retailer, announced earlier in the year that hackers broke into its data systems and accessed some 45.7 million credit card accounts. As a consequence, many financial institutions have replaced the cards of TJX customers. Financial institutions have noisily complained about the costs they incurred replacing cards. For example, after HarborOne Credit Union in Brockton, Massachusetts, cancelled 9000 credit cards, it ceremoniously sent TJX an invoice for $590,000.[1] Many financial institutions have filed lawsuits against TJX seeking reimbursement.[2]
Negotiated Relationship in the Credit Card Industry
The legal relationship among players in the credit card industry is complex. A merchant like TJX typically has a contract with the bank that processes its credit card transactions, its "acquiring bank". Under that contract it has certain obligations to the acquiring bank. One such obligation is to implement certain security measures to protect card data. And the contract might provide that the merchant will pay fines and indemnify the bank in the event of a breach of data security at the merchant. But the merchant does not have a direct contractual relationship with other banks in the system - such as the banks that issue credit cards to consumers.
So typically a merchant is not directly obligated by contract to reimburse consumer banks if they incur costs. However, the consumer banks may be entitled to some reimbursement from the acquiring bank, which the merchant must indemnify.
Consumer banks might argue that this arrangement is unfair. They believe that if the merchant is the cause of a loss, the merchant should simply pay, without further discussion.
But, on the other hand, it can be argued that consumer banks understood the deal - and understood the contractual division of risks - when they entered the credit card business. Consumer banks reap hefty fees from credit cards, which compensate them for the risk that they must sometimes cancel cards. The fees are paid by the merchants.
PCI-DSS
Credit card associations like Visa and MasterCard are trying to foster greater security among merchants. They have published the Payment Card Industry Data Security Standard (PCI-DSS) to set expectations for the protection of card data by merchants. Among other things, the PCI-DSS sets objectives for protecting, purging and encrypting data. Commonly, the contract between a merchant and its acquiring bank (or between the merchant and a card association like Visa) will require that the merchant comply with the PCI-DSS. Failure to comply can result in the assessment of fines and other penalties.
But failure to comply is (normally) not directly tied to an obligation to reimburse consumer financial institutions for the costs they incur as a result of the non-compliance.
For merchants, compliance with the PCI-DSS is challenging and controversial. The standard sets many requirements that can be expensive to meet, but it also leaves room for flexibility. For example, Appendix B of the PCI-DSS (version 1.1, September 2006) recognizes that a merchant can sidestep a requirement if it possesses "compensating controls" that mitigate the risk the requirement is designed to address.
Therefore, whether a merchant is in compliance with any given provision of the PCI-DSS is not a simple question. The PCI-DSS sets some expectations for merchants not to retain certain sensitive data, but satisfaction of those expectations is subject to judgment and argument.
Altering the Ecosystem
The credit card system could be viewed as an ecosystem. The various participants in the ecosystem have - by way of contracts and the PCI-DSS - negotiated a division of fees, fines, risks and responsibilities among themselves.
But on account of incidents like that at TJX, some financial
institutions are not happy with the negotiated ecosystem. So they have
complained to politicians. In Minnesota the politicians have responded
with H.F. 1758, also known as the Plastic Card Security Act.
H.F. 1758 bluntly states that a merchant may not retain certain card
data, such as a card’s security code and the full data from
the card’s
magnetic stripe. It further provides that if a merchant does retain
such credit card data, and that leads to a breach of a
card’s security, then the
merchant must reimburse the financial institution that issued the card
for the reasonable costs incurred to avoid damage.
(Note that there can be much argument about what costs are reasonable
for an institution to incur when card security has been
compromised. Financial institutions will interpret the word
reasonable broadly, and merchants will interpret it narrowly.)
Minnesota has changed the ecosystem. It has created a direct obligation
between merchants and consumer banks. The obligation forbids merchants
from retaining the data in question - regardless of subjective ideas
like the compensating controls recognized in Appendix B of the PCI-DSS.
The obligation imposed on merchants does not come with any quid pro quo for merchants - as might happen in a negotiated ecosystem. Minnesota does not, for instance, provide merchants any lower fees in exchange for taking this new obligation.
Minnesota has increased the costs born by Minnesota merchants that accept credit cards. It has given them modest incentive to move their operations out-of-state or to favor other forms of payment, such as cash, check or PayPal.
As an author and instructor at SANS Institute, I discuss issues like these in my courses on IT law.[3]
==
Benjamin Wright is an attorney based in Dallas, Texas, and instructor for a series of courses on IT security law, promoted by the SANS Institute.[4] He is the author of numerous books on technology law.
==
[1] Jaikumar Vijayan, "Credit Union Bills TJX $590k for Breach Costs," ComputerWorld, June 11, 2007.
[2] Jon Swartz and Byron Acohido, "TJX data theft leads to money-laundering scam," USA Today, June 11, 2007 http://www.usatoday.com/money/2007-06-11-tjx-data-theft_N.htm
[3] http://www.sans.org/training/description.php?tid=862
[4] http://www.sans.org