Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
Fines and penalties may be in the thousands of dollars, but assessments of the funds banks and credit card companies lose due to breaches and fraud can be in the millions―enough to put smaller merchants out of business entirely. Worse yet is that most merchants do not even read―let alone understand―the full extent of the risk they take on when accepting credit cards.
Nick Economidis, an underwriter with Beazley USA Services Inc., said there is a lack of clarity and plenty of misconceptions among merchants as to what happens when a breach occurs. “Nor do many insurance brokers understand the exposure to losses,” he said. “Payment Card Industry (PCI) regulations require compliance with Data Security Standards (DSS), failure of which can result in fines and penalties, or much larger loss exposures. Insurance brokers,” Economidis continued, “have an opportunity to educate their clients, who often sign merchant agreements that they really don’t understand.”
Economidis moderated a panel at the recent NetDiligence® Cyber Risk & Privacy Liability Forum with Grayson Lenik of Trustwave®, a PCI forensic investigator; Dave Navetta, attorney and one of the founders of InfoLawGroup; and Craig Hoffman, a partner with Baker & Hostetler LLP.
Dave Navetta started with the basics. “If you’re a merchant you will have a Merchant Services Agreement with the bank, and in-between is a payment processor. Your first obligation is compliance with data security standards and card-brand operating rules. Those vary depending on how many transactions a merchant accepts. Non-compliance resulting in a breach will result in with fines, penalties and loss assessments against the bank representing the merchant.” The bank, in turn, passes these amounts on to the merchant.
“What are the obligations of the banks and merchants?” Economidis asked.
“If there is a penalty against bank the merchant must reimburse the bank,” Navetta explained. “Also, there is a right to set up a reserve whereby the bank can hold back funds if they think the merchant will owe a fine or settlement. This can mean a merchant will not have cash to buy merchandise to sell,” Navetta warned. “This is a very powerful tool banks use to get the money owed to them as a result of the breach. If the merchant doesn’t comply, the bank can cut off their credit card acceptance. One bank threatened to pull the card processing capability of one chain of stores and put ATMs in all of their locations. Also,” he said, “a merchant must retain a forensic investigator in the event of a breach or suspected breach.”
So the risks, Economidis summarized, are fines, penalties, assessments, holdbacks on funds, termination of a credit card contract, being blacklisted and the cost of forensic audits for breaches or suspected breaches.
“What are assessments about?” Economidis asked.
“A fine occurs if the merchant is non-compliant with PCI DSS,” Hoffman said. “In the event of a breach that leads to fraudulent uses of cards stolen from a merchant, banks that issued the cards take a financial hit. Separate from the fines, the card association assessments are an attempt to reimburse the banks and make them whole for the fraud and operating costs, such as the cost of reissuing cards, which is $2.50 per card with Visa®.”
“What are we talking about in terms of fines?” Economidis asked.
“Fines are not usually the most expensive of the costs incurred in a breach,” Hoffman said. “They could be $5,000 month. The biggest concern is whether the merchant is subject to the assessment programs, and that’s usually only when a card-present transaction data is at risk ― although MasterCard® applies its program in a lesser way to e-commerce transactions.”
Economidis said insurance brokers have trouble knowing which clients have greater exposure, such as a flower shop vs. an online retailer. “Which retailers are at the highest risk and what are their exposures?” he asked.
Lenik said that while he has seen some physical attacks on terminals, a flower shop with one or two "swipe box" card readers are at the lower end of the risk spectrum. “At the higher end of the risk spectrum are the large retailers with multiple checkout lanes or restaurants with multiple terminals, usually with Windows® PCs with touch screens, and which aggregate to servers in back of facility. This is where we see the lion’s share of breaches. Card processing system developers make it easy to get remote access―which the bad guys also like because it is easy to guess passwords. According to the 2013 Trustwave® Global Security Report, SQL injection and remote access were the two most common methods of intrusion criminals used in 2012. Remote access is often the door used by the bad guys to access card data."
Economidis asked about encryption and tokenization, and how well those methods reduce the risk.
“These could really make an impact,” Lenik said. “Right now merchants are responsible for their equipment, unless the bank ships them the equipment. When using a simple card reader the information swipe is just like a keyboard and shoots data through in clear text. The data can be captured there by malicious software and sent to the back of house in clear text for authorization. If there is a mass rollout of devices that are actually encrypted at the swipe―not in memory or on the terminals themselves, but actually at the swipe―that could solve a big piece of the security risk.”
“As for tokenization for e-commerce, when you enter your information at a merchant site, they are tokenizing your CCV, your expiration date, your PIN. This data is being encrypted with one-way hash, and broken into pieces so not all data is sent at any one time. You are issued a one-time token that represents your data. It is that token that is sent for authorizations. This eliminates the ability to get the data that is imprinted on a credit card or magnetically encoded on a credit card.”
“So if implemented correctly,” Economidis asked, “these measures can significantly reduce the risk?”
“Yes, significantly,” Lenik said. “I have seen some modification where hackers have bypassed the token and started logging that data, but that is rare. There is always going to be risk, however.”
“What happens when a merchant discovers a breach or card brand suspects there is a breach?” Economidis asked.
“Usually it’s the latter,” Hoffman said. “Merchants don’t generally detect breaches on their own. Most of the time it’s the issuing banks, who then do analytics that look at where cards were last used legitimately before a fraudulent charge appeared. If they find enough instances of fraud appearing on cards after they were used at the same merchant, they identify that merchant as a potential common point of purchase, or CPP, and then they contact Visa® or MasterCard®, who then calls the merchant and requires the merchant to investigate for signs of a breach. At this point there is very limited data shared. The merchant might only be told that one issuing bank detected fraud on five cards that were used in one store. Companies usually start by ruling out employees, that is, determining whether the fraud occurred all in one checkout lane. Then the merchant may receive additional CPPs for another store and another store. At that point it's time to engage a forensic investigator to start imaging servers. The public wants immediate notification, but the process just isn’t that fast. The forensic team gets on a plane, takes the data back to the lab, then five or ten days later you might start to have a sense for what happened.”
“The PCI Security Standards Council has given us five days to get the data back to the lab and have a preliminary report,” Lenik said. “The report can be as simple as, ‘Hi, we’re engaged and we’re working on it.’ It is unfortunate but that has been the case sometimes. Sometimes we have to do a lot more digging. Other times we find malware while we are on site and have a preliminary report written on the plane on the way home.
“Then the merchant finds itself sometimes on weekly phone calls with the card associations, with the PFI, with its processor, sometimes it’s the bank, saying ‘What’s going on?’” Hoffman explained. “The card associations are asking processors to provide info to Visa or MasterCard, and banks are notified. They monitor and start contacting the customers to tell them they have cancelled their card, because there was a breach at merchant X. Then the merchant starts getting phone calls by people who had their cards cancelled asking ‘Why didn’t you tell me there was a breach?’”
[Editor’s Note: According to its website, www.PCISecurityStandards.org, The PCI Security Standards Council is an open global forum launched in 2006 that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements. The Council’s five founding global payment brands―American Express®, Discover® Financial Services, JCB International, MasterCard Worldwide®, and Visa Inc.―have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs, PA-QSAs and ASVs certified by the PCI Security Standards Council.]
“What is the merchant’s requirement to notify consumers of the breach?” Economidis asked.
“There is nothing under the payment card association regulations that requires notice to an individual,” Hoffman said. “The notification obligations arise under state law, so if you have an incident where cardholder names and account numbers were accessed or acquired by the attacker, you are likely triggering state breach notification laws. But where you have card-present retail transactions, most companies authorize using track two, which is only the account number, expiration date and card verification value, so there isn’t a name associated with it. So the attackers are stealing data that doesn’t trigger state breach notification laws.”
“So quite often there is no obligation to notify consumers … but they find out anyway,” Economidis stated.
“Correct,” Hoffman said.
“Who owns cardholder data?” Economidis asked.
“If you ask the issuing bank,” Hoffman said, “they will say they do, and there is support for that in the card association regulations. So as a merchant you can be viewed as a processor of that data, but not the owner. If there is an incident, you as the processor could be required in most states to notify the owner―which is the issuing bank. And that’s essentially done for you through the card association regulations. When you identify what the at-risk cards are, the processor gives them to Visa and MasterCard. They then send alerts to those issuing banks. You could take the position that that process gives notice to the owner of that data, which is the issuing banks, who have the choice as to how they notify the cardholder.”
“What’s the role of the PFI―the forensic investigator?" Economidis asked.
“It varies from company to company,” Lenik said. “I come in as a private consultant for the business that has hired us and hope to offer at least some advice about what’s going to happen with the process and what they’re going to have to do. I help them move through compliance, and at the same time I am required to provide specific items the Council has laid out that are part of the PFI report. I am pretty bound by that contract. If we want to continue to do work as a PFI we can’t just say to Visa or MasterCard, ‘Sorry, you can’t have that data in this case.’ People have said PFIs are beholden to card brands. We are, to an extent, in that they are telling us what we have to report, but at the same time we try to help people through breaches and give them the resources they need.”
“So you're there to help the merchant?” Economidis asked.
“I like to think I am helpful,” Lenik said.
“The card brands expect certain information and they actually expect a certain approach to things as well in how you report it,” Navetta added. “And it varies by PFI, but the PFI investigation doesn’t go as deep as it would if you hired your own forensic investigator. First of all, there is a pricing issue. If you’re a smaller merchant they are going to charge a certain amount and you can only do so much forensics for that amount. There is an established approach, so there are certain assumptions that may go against the merchant such as the scope of the breach, and data that has not actually left the system. The problem is, that report is the foundation for the fines, penalties and the assessment process. For example, the number of cards at risk will trigger assessments in certain cases under Visa’s rules if the fraud involves less than 15,000 cards. It does not matter how much fraud was on the cards. It doesn’t matter what the operating expenses are. If less than 15,000 cards are at risk there is no assessment process. The window of extrusion that Lenik finds in a breach and number of cards at risk can be important when you’re close to that 15,000 threshold. For example, I had a case where we were close to that threshold and we argued that it was below and got it reversed, but that kind of information and findings fold into and inform the fines and penalties eventually.”
“When you go into a breach, the best time to actually influence the outcome on the backend is when the forensic investigation is happening and you have some gray area issues and you’re trying to work it out with the forensic investigator to be more favorable to the merchant.”
Addressing Navetta, Economidis asked, “Do you think most merchants realize that the PFI report is going to form the basis of the fines, penalties and assessments?”
“No,” Navetta replied. “Often times they get called in after the breach and you get a letter from Visa and MasterCard saying you owe $300,000 and you go back and see the report is done. They don’t realize at that point in time that is how the report is going to be used. In the adjudication process, it’s a very confusing one, whatever is in that report is kind of the law of the land.”
“In defense of PFIs, they don’t often do that,” Hoffman said. “They are asked what cards are at risk and they have to answer. To get a reliable and conclusive finding is difficult. They are left to look at what data is left and make a determination.”
“We struggle with that,” PFI Lenik said. “We are trying to redefine how we get to report before the Council, but we’re generally tasked to say there is conclusive evidence of a breach or there is inconclusive evidence of a breach. And that’s very difficult because, a lot of times, it’s nine months since the breach occurred and I might find very definitive evidence of two pieces. I might see intrusion, and I might see malware that we know steals credit card data, but I have no evidence whatsoever, because of logging or because of the amount of time, that that data was ever successfully left, except that we have a high percentage of fraud, which is not necessarily conclusive. In those situations we are left in a tough spot and we’re working on the ability to split those up and say infiltration was conclusive, aggregation was conclusive, but we see no evidence of exfiltration.”
“Part of the problem is that the card associations ultimately interpret the reports as well,” Hoffman said. “So if it’s inconclusive and they have evidence of a lot of fraud, they conclude there was fraud and there was a breach even though the forensic report doesn’t actually say that expressly. And that’s a weird situation which I view as a little more than a common point of purchase report based on some mathematical algorithm that says perhaps the merchant was breached.”
Economidis asked, “Are you saying card brands are going to conclude based on circumstantial evidence that there was a breach unless you can conclusively prove there was not a breach?”
“Yes,” Lenik said. “If two of the three points are there and they have fraud, they will consider it conclusive.”
Economidis: “What should a merchant do when they have a breach?”
“Investigate immediately,” Hoffman said. “Start preserving any available data. It’s sometimes counterintuitive―but you want that forensic data available even if it’s harmful because it shows there was a successful attack. If you have the right data available you can do a better job of pinpointing and narrowing the window of intrusion and at-risk cards. When there is insufficient data, and you have CPP reports that say there is fraud on cards used legitimately in your store going back 18 months, and if there is evidence of an intrusion, and the capability existed for that intrusion to go back 18 months―you may be in a situation where the card associations construe that as evidence that the breach began 18 months ago. In reality it may have started only a few months ago. If you had better available forensic data, you could have demonstrated when the intrusion stopped and started.”
“You also find people turn their machine off right away when they find potential evidence of a breach,” Navetta said, “not realizing that they may be losing important data at that point. Or they use malware or antivirus software to wipe their server clean because they are scared that the breach is still happening. In reality, if they had left it on and not run the antivirus, an investigator could get data and limit the scope of the breach. It is unfortunate when that happens.”
“We've seen a rise in inconclusive breaches because of antivirus software,” Lenik said. “There isn’t any really new malware variance out there and we're seeing antivirus software catch up. Antivirus software will scrub at least the important pieces of malware and maybe leave a few residual files. If a breach ends five months before I even get on site, by the time I get there there’s no evidence except that antivirus was run. That makes for a really difficult investigation.”
Economidis asked Lenik, “What are the most common avenues that lead to breaches?”
“Implementation flaws by third party IT consultants and integrators,” Lenik said. “Out of 450 of our investigations, 86% used third-party IT consultants. Third parties come in to make software easy to use and make it work. And without even knowing it the merchants are signing the contract that says the security of the network is 100 percent the responsibility of the business owner. These integration companies come in and they are leaving their customers just wide open to breach. Knowing what we know about the horrible passwords they use for easy remote access―it’s a recipe for disaster.”
“What are the common mistakes that lead to breach?” Economidis asked.
“It’s the basics. It’s Systems Security 101,” Lenik said. “You set up a system that’s moving valuable financial data and you’re not watching it and not monitoring it. You may have a firewall in place by two or three remote access applications open through that firewall, but a password like ‘aloha hello’ or ‘pospos.’ Really? You’re begging for a breach. Never mind the in-depth PCI regulations, just turn off those default user names and passwords and get back to basics.”
“But if merchants are compliant with PCI data security standards,” Economidis asked, “how is it they have a password that is a ‘password’ and is easily cracked like that?”
“It is the integration companies that come in and set it up and make it easy,” Lenik said. “They are leaving those accounts in place because those are the accounts they use to perform maintenance. Or, even worse, they leave those default accounts in place and add yet another one with an inadequate password so they can get in more easily. I have seen things where they use the integrator’s name followed by the integrator’s name. The answer is they are NOT being compliant and they are NOT paying attention to compliance whatsoever―not even the easy steps."
“So, you mean the merchant is not even compliant, they just think they are?” Economidis asked.
“No, they are not compliant,” Lenick said. “Typically the merchant has people going through and signing the paperwork and saying ‘we’re compliant’ and they aren’t even looking.”
“The merchants on some level are relying on the integrators,” Navetta said. “They don’t realize the integrators aren’t saying they are going to make a PCI compliant point of sale system. They are saying they are going to implement a point of sale system and they are actually disclaiming any liability in their contract for any PCI compliance. So these merchants unfortunately are not sophisticated and savvy enough in the IT world to understand this.”
“We also run into a problem,” Lenik added, “where there is the PCI DSS and the PA DSS. PA DSS is the application itself. The newest version of Aloha is PA DSS certified. That means the application when you process a card doesn’t store data, among other things. As soon as you put that onto a Windows 2000 server that’s no longer in support, your entire implementation is no longer PCI DSS compliant. So there is confusion in terminology. Someone will say they are using a compliant app, but it’s running on XP Service Pak 1―that, in and of itself, is failing compliance.”
“So the application and environment need to be compliant,” Economidis said. “What about best practices for merchants?”
“Hiring a second forensics expert is a consideration, but not something you should do as a matter of course,” Hoffman said. “You have to look at the specific investigation and one consideration is what data might be at risk. If you have data that’s at risk beyond just the payment card data, the PFI is only going to come in and look at whether payment card data is at risk. If you have other data at risk you have other obligations you have to assess. You may need a second firm.”
“Another consideration is that after the card brands make their determination, they send you a case management report that says you are being charged X number of dollars, and you have a chance to appeal. But it’s not a typical appeal―not the kind many [attorneys] are used to. Here you write back to the card association company that just charged you and say ‘We don’t think you did it right. Now change your mind.’ And they say ‘No, we like that number. We’re sticking with it.’ That's the appeal process. A second firm can often give you some support when you write your appeal to the card associations to say their assessment was incorrect, that it was based on insufficient data, that there was no evidence of exfiltration. That may be one of the least successful arguments you make because if there is circumstantial evidence, like common point of purchase reports, that's enough for the card associations to reject the appeal. There are some scenarios where you can make very detailed arguments and maybe there was malware running to search for track-two data when the card was run through, but if you do it with a PFI or you do it with a second firm you can take a look test and see if the malware actually captured 100 percent of the cards that went through. Then you can re-create what happened and maybe you can show something different than what you would have to infer. We have had scenarios where people were issuing the right commands to query card data from a database, but when you set it up and actually tested, it was shown that they used the wrong syntax and the commands failed, and they actually retrieved no data. Whether you work with a PFI or with a PFI in a second firm, there really is a lot of opportunity to make a meaningful impact on your risk and what assessments you face ― and it’s during the forensic investigation.”
“We have had cases where a second PFI firm has looked at the data and found that the first PFI was just dead wrong,” Lenik said.
“Can fines and penalties be negotiated? Is there an opportunity to talk them down?” Economidis asked.
“Sometimes,” Navetta said. “Each card brand has a different process. Usually Visa and MasterCard are on the forefront and have the most developed and mature process. After a while you get to know how their rules work, so what you’re looking for are mistakes. Mistakes can happen on the forensic side, or on the scope of the breach, or where they have counted all the transactions for multiple merchants even though only one of the merchants had a breach, therefore there were too many cards being counted. In those cases we are able to get some leverage to negotiate the assessment down.”
Luck can also be a factor, Navetta said. “A recent case of ours involving a restaurant where the number of events was hovering around 10,000, and the initial report said the breach continued through ‘all day’ on the last day of the window of intrusion. However, they fixed the breach on a Saturday at 11:30 A.M., before the lunch rush and their dinner rush, so all of those transactions were taken out and we were under the 10,000, finally.”
“There is another strategy,” Navetta said. “For smaller merchants and retailers these fines and penalties will put them out of business. I had an online e-commerce company experience a breach for which they were assessed $1.8 million. That was going to put them under so we got the assessment way down. Sometimes you have to use that leverage. ‘You’re not going to get any money if we go out of business.’ ”
“Also, there is a catastrophic cap in the Visa system … one thing to realize is that the top-line fraud in these calculations is usually very, very high, so there might be a $5 million top line and then Visa figures that 20 percent of the fraud was normal fraud, therefore they take off a big chunk and further reduce it. They do what is called a catastrophic cap, which can be two to five percent of your annual transactions. I had a case where they were counting multiple merchants with different merchant IPs in the catastrophic cap calculation where it was only one merchant ID that suffered the breach. They were saying the catastrophic cap should be $300,000 but one merchant only had $40,000 of transactions going through. We were able to argue it down based on the fact that too many entities were figured in their calculations.”
“One problem with the appeal process,” Navetta warned, “is you have to pay if you lose, so try an informal appeal first.”
“By agreeing to the PCI adjudication process,” Economidis asked, “does this stop consumer class action suits resulting from a breach?”
“Not only does it not stop cardholders from suing, it doesn’t stop banks that issue cards that were affected from suing,” Hoffman said. “Under the Visa and MasterCard programs the purpose of the assessment is to reimburse the affected issuing banks. After Visa and MasterCard take their fee, they don't give the merchant a release of liability. They give the money to the issuing bank, and if the issuing bank finds out what merchant was breached they can still pursue the merchant directly. Their claims are very weak, I think, if they are viable at all, but it doesn’t stop them from filing a lawsuit.”
“Specifically how is the consumer harmed?” Economidis asked.
“They are afraid of their identification being stolen. Or they bought a credit monitoring system, so there is economic harm,” Hoffman said. “Or people who use pre-paid cards that don’t have the same protection, or work with a smaller credit union that charges $15 to get a new card, they claim additional economic harm.”
Economidis summed up the conversation―and the risk―this way: “After all the PCI adjudication process and forensic costs, plus fines, penalties and assessments, you still face class actions and claims being made by banks against you for damages.”
Key Takeaways
Disclaimer: The views and opinions expressed in this article are those of the individual sources referenced and do not reflect the views, opinions or policies of the organizations the sources represent.