In my last post concerning insurance issues arising from the 2014 data breach at P.F. Chang’s China Bistro I talked about PCI DSS assessments and the cyber insurance difficulties they can present. Today I’m going to jump back into that pool, this time in the deep end.
As I mentioned in the P.F. Chang’s post, PCI DSS assessments aren’t well understood by a lot of people. That may have contributed to P.F. Chang’s problems. I know from experience that it has created difficulties for other companies. With that in mind, a deeper dive on these issues might be helpful.
How Payment Card Transactions Work
To understand what PCI DSS assessments are you first need to understand how payment card transactions work.
Payment card transactions are surprisingly complex. In a typical payment card scenario the customer presents his or her card to the merchant. The merchant’s point of sale system sends the information to a payment processor which then obtains an authorization from the card brand and the bank that issued the customer’s card (known as the “issuing bank”). Ultimately the funds are collected and sent to the merchant’s bank (known as the “acquiring bank”). The chart below hopefully makes the process a bit easier to understand.
All of this is possible because of various contracts between merchants and their banks, payment processors, and sometimes card brands (e.g. American Express and Discover), and between the card brands (e.g. Visa, MasterCard) and acquiring banks that accept funds for the merchants and issuing banks.
A merchant’s contract with its acquiring bank, known as a merchant services agreement (MSA), is the primary source of its obligations and liabilities with respect to payment card transactions. That MSA requires the merchant to comply with the PCI Data Security Standards (PCI DSS). Those standards are the rules governing payment card transactions, and they allow the card brands to fine parties for non-compliance, and to recover issuing banks’ losses resulting from a breach.
Liabilities Resulting From a Payment Card Data Breach
After a breach involving payment card (PCI) data a company will face exposure for PCI DSS fines and PCI DSS assessments. An acquiring bank’s membership agreement with Visa and MasterCard obligates it to pay the PCI DSS assessments and fines (Visa calls them fines, MasterCard calls them “case management fees”, and American Express and Discover call them “noncompliance fees”). The MSA obligates the merchant to indemnify its acquiring bank for those amounts. In the case of American Express and Discover, the merchant is directly liable for fines and assessments.
PCI DSS fines frequently don’t amount to much. The total amount of fines from card brands in connection with a breach will often be less than $100,000.
PCI DSS assessments are another story altogether.
So what exactly is a PCI DSS assessment? It is the primary vehicle by which issuing banks recover loss they sustain as a result of a PCI data breach. This includes counterfeit fraud loss resulting from fraudulent purchases using the stolen card data, and operational reimbursement loss consisting of the cost to reissue cards and to investigate the extent of any misuse of the card data. The assessment will be calculated by the payment card brand using loss data supplied by the issuing banks.
A PCI DSS assessment is not automatic in the event of a breach. An assessment will be made if the PCI forensic investigator’s report after the breach establishes that:
a. Card data was compromised;
b. A threshold number of cards were involved;
c. The merchant was not PCI DSS compliant; and
d. There is heightened fraud on the affected cards.
Once a PCI DSS assessment is issued the merchant will have a limited ability to appeal it. That said, it is not unusual for merchants to negotiate substantial reductions in assessments, particularly in large breaches.
The Cyber Coverage Problem
You might expect PCI DSS assessments to be covered under cyber policies. P.F. Chang’s did and discovered they were wrong.
The problem isn’t that insurers specifically exclude coverage for assessments. The problem really is that policies do not unambiguously cover, or not cover, them. That has forced companies like P.F. Chang’s to make creative arguments in order to find coverage, and has allowed insurers to avoid or limit coverage in ways that surprised the companies they insure.
Reliance on the contractual liability exclusion like Chubb did with respect to P.F. Chang’s claim is a good example of that surprise. Because cyber coverage is sold to cover loss from payment card data breaches, companies naturally assume that liabilities resulting from the breach will be covered. They do not expect policies to exclude certain liabilities simply because they arise from their MSAs. That is nevertheless how many policies are structured, and when a claim is made insurers will enforce them to the letter.
Another good example is a position I’ve repeatedly seen cyber insurers take that small sublimits for PCI DSS fines also apply to PCI DSS assessments. Confusion about what fines and assessments are, and imprecise use of those terms in MSAs, and sometimes even by lawyers representing companies in connection with data breaches, may partially account for this position. (That may also explain vagueness in relevant policy language.) Another factor is the hesitancy of insurers to commit a full policy limit to cover an exposure that is very difficult to quantify, and that arises from a liability that is not the result of a contested proceeding. That reluctance can affect insurers’ interpretation of the policy and lead them to conclude that a sublimit for fines also applies to PCI DSS assessments.
As understanding of credit card transactions and PCI DSS fines and assessments grows it will be easier for companies and their insurers to have a firm meeting of the minds about what is and isn’t covered. We aren’t yet where we need to be though. For that reason it is essential for companies to pay very close attention to their cyber policy wordings so that there are no rude surprises if a payment card data breach happens.