Liability in the Event of a Payment Card Breach

This is the second in a series of four brief summaries about what small business owners need to know about data breach risk and liability.

By now, every merchant that accepts credit and debit cards likely knows about the Payment Card Industry Security Standard (PCI DSS). And if they don’t — they should. It’s an industry security standard created by the leading card brands to increase protection of cardholder information and reduce fraud. Even small merchants are required to comply or risk losing the ability to accept many brands of payment cards.

Passing a PCI DSS assessment or audit validates that your business is following industry best practices to protect against a data breach. However, PCI compliance doesn’t equal security. PCI DSS is designed to help your business reduce vulnerability and risk, but it doesn’t mean that you’re risk-free, and it doesn’t protect you against liability in the event of a breach.

In the event of a payment data breach, your business could face liability from several different groups, including:

  • Associations
  • Your acquiring bank
  • Credit card issuers
  • Government agencies
  • Individual customers whose information is compromised

It’s worth repeating: undergoing or even passing a PCI compliance assessment does not provide safe harbor from liability, although it may help minimize liability.

You can read more in Payment Card Data Breaches: What You Need to Know About Your Risk and Liability.