We released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. Over the next four weeks, we will post several blogs that will provide a more in-depth look at certain findings.
In this post, we cover one of the largest potential financial consequences retailers face after a payment card data security incident involving magnetic stripe data from cards swiped in stores—assessments of non-compliance fines, fees, and liability to reimburse affected issuing banks by the card networks (i.e., Visa, and American Express). In the Report, we identified two liability ranges: (1) PCI DSS non-compliance fines of $5,000 – $50,000; and (2) liability to reimburse affected issuers of $3 – $25 per at risk card. Below we discuss when this liability is triggered, how it is calculated, and steps companies are taking to avoid this liability.
When payment card data may be at risk, the card networks may require a retailer to hire a Payment Card Industry Forensic Investigator (PFI) to conduct a forensic examination. The PFI is required to submit a final PFI report containing its investigative findings to the card networks using a report template issued by the PCI Security Standards Council (SSC). Appendix A of the template requires the PFI to identify whether the retailer was compliant with all sub-requirements of PCI DSS at the time of the incident and, if the retailer was not, identify whether the noncompliance caused or contributed to the breach.
Below is an excerpt from Appendix A for Requirement 1 of PCI DSS. Under the current version of the template, unless the PFI conducts a full Qualified Security Assessor (QSA) assessment of the retailer’s cardholder environment in addition to the PFI investigation (something PFIs rarely, if ever, do), the PFI must answer that each requirement was not fully assessed, which then limits the PFI to, at most, finding that compliance was only partially in place. The “Yes” box for “In Place” cannot be checked unless a full QSA assessment was conducted by the QSA (the template was revised in March 2015 to clarify confusion over this from the updated version of the template that took effect on January 1, 2015). If you read the annual PCI DSS compliance reports of forensic firms that conduct PFI investigations, you will see commentary that retailers that had payment card data stolen were not compliant with at least one PCI DSS requirement. Given the number of sub-requirements (over 200) that there are under the 12 broad requirements and the fact that PCI DSS is an interpretative standard, if payment card data was stolen, it is highly likely that a retailer will receive a final PFI report identifying at least one area (but usually more than one) of PCI DSS non-compliance. And when the report identifies an area of non-compliance, the retailer becomes subject to card network operating regulations that permit the imposition of non-compliance fines of up to $50,000 – $100,000 depending on the network. For at least one card network, the fine is re-assessed on a monthly basis until the retailer re-validates PCI DSS compliance. For some retailers, this may take 3-5 months, especially under the paperwork heavy validation requirements of PCI DSS 3.0.
Takeaways — It is often obvious during the PFI investigation if the PFI has identified areas of non-compliance that will be noted in the final PFI report. When faced with the likelihood of non-compliance findings, retailers should consider engaging a new QSA during the PFI investigation (the card networks generally do not allow the QSA that did the pre-incident assessment to do the post-incident assessment). A new QSA can: (1) consult with the retailer on the preliminary findings of the PFI—there may be legitimate grounds for disagreeing with the PFI’s findings of non-compliance and it is often better to have an informed debate with the PFI before the report becomes final than to try to convince the card networks afterwards that the PFI was wrong by offering a competing opinion; (2) conduct a gap assessment as part of the retailer’s remediation efforts; and (3) especially when there is minimal remediation to be done, prepare to conduct a new assessment with the goal of getting to an attestation of re-validation within a month of the submission of the final PFI report, which is when the card networks often start assessing non-compliance fines. Additionally, if the retailer has not already done so, implementing EMV, point-to-point encryption (P2PE), or tokenization may provide a discussion point with the card networks regarding a decision to assess a fine.
Issuing Bank Reimbursement
In most investigations where evidence of a compromise is found, the PFI does not find sufficient evidence remaining in the retailer’s network to identify all of the payment cards that were stolen. Issues that create this lack of evidence range from insufficient logging to malware operating in volatile memory to attackers securely deleting evidence of the cards that were stolen. Thus, the PFI usually identifies an at risk window—a date range during which the attacker had the ability to steal payment card data. The card networks then usually treat all cards swiped in the retailer’s affected locations during the at risk window as at risk. The card networks, either through the retailer’s payment processor or on their own, then identify the at risk accounts and send alerts to issuing banks letting those banks know which specific accounts were identified as at risk. Those issuing banks may then conduct heightened monitoring on those cards or simply reissue them to avoid the potential for fraudulent charges. The issuing banks then have a certain time period to report to the card networks how many cards were reissued and the amount of counterfeit fraud that occurred on those cards.
After the card brands collect the data from the issuers, they apply their assessment program rules (e.g., GCAR, ADCR, DSOP) to determine, according to the card networks, the amount of losses suffered by the affected issuing banks as a result of the incident that they will collect from the retailer to reimburse the issuing banks. The assessment programs generally identify two areas of issuer losses: (1) operating expense – the amount incurred by issuing banks for reissuing cards; and (2) incremental counterfeit fraud – the amount of counterfeit fraud on the at risk cards that is above the baseline level of fraud the card networks expect to see. The assessments under these programs typically generate one of the largest areas of financial liability for a retailer in a payment card incident affecting data stolen from cards swiped in stores.
In the case of the two largest card networks, the liability for the assessments is imposed on the acquiring bank sponsor of the retailer. The acquiring bank sponsor of the retailer then invokes a contractual indemnification obligation owed by the retailer to the acquiring bank under the merchant services agreement and withholds from the retailer’s transaction settlement funds enough money to pay the card network assessment. Because American Express and Discover generally have contracts directly with retailers, they impose the assessment liability directly against the retailer pursuant to the terms of the card network’s contract with the retailer.
For some of the largest payment card breaches, the liability assessments made by the card networks are publicly available. These settlements, such as the recent Target agreement, have generally been in the ballpark of $2 per at risk card. Retailers who are evaluating whether to implement point-to-point encryption or the amount of cyberliability insurance to purchase, however, should not rely on the $2 per card range. Because the amount of incremental fraud calculated by the network is highly dependent on how many stolen cards are actually used by criminals to make counterfeit cards that are then used to make purchases in a store, the incremental counterfeit fraud calculation is highly variable across incidents. When tens of millions of cards are at risk, a significant percentage of the cards will not experience counterfeit fraud. Thus, on a per card basis, the total liability assessment will tend to be closer to the $2-3 per card range. When only a few million or a few hundred thousand cards are at risk, the per card amount is usually a little higher. And when only tens of thousands of cards are at risk, that is when you typically see the higher end of the per card amount.
Takeaways — First, it is worth clarifying three misperceptions about this liability:
(1) EMV does not eliminate this risk. Most EMV enabled terminals are “hybrid” terminals that accept magnetic stripe and EMV cards. And some experts are predicting that it will be 2020 before almost all transactions are made on EMV cards. Thus, retailers will continue to have magnetic stripe data in their point-of-sale systems for possibly five years or longer.
(2) Retailers are responsible for their service providers. If the incident occurred because of an error or omission by a service provider engaged by the retailer (e.g., failure to monitor logs, insecure remote access), the retailer still incurs the liability, either directly from the card networks or indirectly through its obligation to indemnify its acquiring bank. The retailer then has to look to its contract with the service provider for a basis to recover from the service provider.
(3) “PCI Fines and Penalties.” Some casually and erroneously lump non-compliance fines, case management fees, and liability for reimbursing issuing banks into one category they call “PCI fines and penalties.”
Faced with the prospect of potentially catastrophic liability and the likelihood of customers continuing to present magnetic stripe cards for payment over the next five years, retailers are increasingly turning to P2PE solutions. In a properly implemented P2PE environment where card data is encrypted in the terminal when the card is swiped and the retailer does not have the decryption keys, an attacker who breaks into a retailer’s network will not have the ability to gain access to plain-text magnetic stripe data. Effective April 1, 2015, Visa will no longer require retailers that accept 75% of card present transactions through a P2P application on the PCI SSC’s approved list to annually validate PCI DSS compliance.