Society of Payment Security Professionals - Payment Security Blog

Making Merchants Liable

Rep. Michael Costello of the Massachusetts legislature is taking aim at merchants that do not properly protect credit card data. As yet another fallout from the TJX compromise, this state law, addressed in the WSJ, would apply to the following:

It would mandate that companies whose security systems are breached assume full financial responsibility for any fraud-related losses, costs associated with the canceling and reissuing of cards, and — in cases of identity theft — the freezing of accounts and credit information. The bill would apply to any company doing business in Massachusetts, wherever it may be based.

Of course the acquiring banks love this because it takes them out of the liability picture. Traditionally with Visa and MasterCard, liability flows downhill from the card associations to the acquiring banks to the merchants. This law would make the merchants directly responsible and liable for covering the cost of data theft.

Kevin of the Bank Lawyer’s Blog has several lengthy and sarcastic things to say about the new law. My favorite reminder was posted in the comments and read:

The Associations (Visa/MasterCard, etc) attempted to prevent State and Federal regulation by implementing the PCI/DSS (Payment Card Industry Data Security Standard). While still preferable to this bill which shifts the penalty from the bank to the retailer; PCI/DSS means nothing if the acquiring bank doesn’t enforce this requirement equally. In this industry, neigh world, small players are forced to conform while large retailers are allowed to skate until eventually breached.

We shouldn’t loose track of the fact that many millions of consumers / citizens had their privacy violated because TJX didn’t protect their best interest and Fifth Third Bank didn’t assure that TJX was compliant.

Bingo!

(thanks to Dutcher and James for the links)