For most retailers credit cards are the primary form of the payments that they receive. Accepting credit cards, however, carries significant data security risks and potential legal liability. In addition to the normal repercussions of a data security breach – e.g., reputation damage, the risk of class action litigation, and the risk of a regulatory investigation – if a retailer’s credit card system is compromised the retailer may be contractually liable to its payment processor, its merchant bank, and ultimately the payment card brands (e.g., VISA, MasterCard, Discover, and American Express). In many cases that contractual liability surpasses any other financial obligation that arises from the breach. The following provides a snapshot of information concerning credit card breaches.
The number of separate contractual penalties, fines, adjustments, fees and charges that the credit card brands may assess upon a retailer.1
Largest number of credit card numbers impacted by a breach.2
Percentage of data breach class actions that involved credit card data.3
Factors retailers should consider when preparing to respond to a credit card data breach:
1. American Express Merchant Regulations (April 2014); Discover Merchant Operating Regulations (April 2014); MasterCard Security Rules and Procedures (Feb. 2015); Visa Service Rules (April 2015).
2. Privacy Rights Clearinghouse, http://www.privacyrights.org/ (last searched Nov. 11, 2016).
3. Bryan Cave LLP, Bryan Cave 2016 Data Breach Litigation Report, https://d11m3yrngt251b.cloudfront.net/images/content/8/2/v2/82494/DataBreachLitigationReport.pdf (last viewed Nov. 11, 2016).