President's blog focused on industry trends and best practices.

Credit Card Handling Liabilities

November 11, 2006

What are the liabilities of handling credit card data? The Payment Card Industry (PCI) has a standard promulgated by the PCI Security Standards Council known as the PCI Data Security Standard version 1.1. This is a harmonized standard that spans Visa, Mastercard, American Express, Discover and JCB credit cards. The standard and associated documents do not express the liabilities, fines, actions or incident handling requirements pertaining to this standard, so I've provided some guidance below with reference to public sources with additional information.

[reduce to abstract]

Liabilities include:

  1. Card replacement and monitoring costs (if applicable)
    • First and foremost: ask your payment processor.
    • This article quotes a Forrester Research analyst as saying: "The cost of disclosure, notification and the offer of credit monitoring services to affected users or customers after a breach can really add up...the general rule is $15 per customer...if it's a financial firm and credit cards are involved, that's an additional $35 for credit card replacement."
    • Other sources, such as Vorys, Sater, Seymour and Pease, LLP--a large law firm, indicate card replacement costs up to $25 per card and monitoring costs up to $5 per card
    • Sellitsafe, a service/consortium for merchants, indicates that "the bank will incur a replacement cost of approx $15 - $25 dollars, depending on the size of their bank's customer base internal processes".
    • search terms: visa "card replacement costs"
    • search terms: visa "card replacement fee"
  2. Per incident fines (the fixed portion)
    • First and foremost: ask each credit card company--they assess fines separately...
    • Visa USA indicates here that "members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident".
      • Also, "if a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident".
    • search terms: visa pci "per incident" fine
  3. Cost of publicity
    • The incident may be reported in the public domain as a result of customers being notified about card replacement. Or even in the event that no replacement occurs, word about the incident may leak to the general public. This can result in an immediate loss of existing customers (in addition to the impact on potential new customers) as discussed in some of the previously mentioned sources: article quoting Forrester Research, and Vorys, Sater, Seymour and Pease, LLP.
    • search terms: visa pci +incident +"customer loss"
  4. Loss of revenue per hour and visibility of downtime required for forensics
  5. Possibility of law suits
  6. Cost of external forensics firm (required to be external)
  7. Cost of internal personnel re incident: legal, operations, etc
  8. Other regulatory fines
    • e.g. federal laws/regs (if applicable): FTC fines, GLBA, HIPPA fines
    • e.g. state "breach of information" legislation fines (see NCSL)
    • e.g. fines re privacy laws (if applicable)

Finally, it should be noted that aside from PCI standard specific matters, there are traditional fees such as the chargeback fee of $25.