Liability in the Event of a Payment Card Breach

This is the second in a series of four brief summaries about what small business owners need to know about data breach risk and liability.

By now, every merchant that accepts credit and debit cards likely knows about the Payment Card Industry Security Standard (PCI DSS). And if they don’t — they should. It’s an industry security standard created by the leading card brands to increase protection of cardholder information and reduce fraud. Even small merchants are required to comply or risk losing the ability to accept many brands of payment cards.

Passing a PCI DSS assessment or audit validates that your business is following industry best practices to protect against a data breach. However, PCI compliance doesn’t equal security. PCI DSS is designed to help your business reduce vulnerability and risk, but it doesn’t mean that you’re risk-free, and it doesn’t protect you against liability in the event of a breach.

In the event of a payment data breach, your business could face liability from several different groups, including:

  • Associations
  • Your acquiring bank
  • Credit card issuers
  • Government agencies
  • Individual customers whose information is compromised

It’s worth repeating: undergoing or even passing a PCI compliance assessment does not provide safe harbor from liability, although it may help minimize liability.

You can read more in Payment Card Data Breaches: What You Need to Know About Your Risk and Liability.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s