Archive by Author

Cyber Insurance Shortfalls

20 Feb

If you store cardholder data, transaction information, or other personally identifiable information you may want to revisit your cyber insurance policy to verify the extent of your coverage.  A court recently found that the cyber insurance policy held by P.F. Chang’s did not cover many losses suffered in P.F. Chang’s data breach.  Based on the court’s findings in this decision and given the structure of the payments industry, many cyber insurance policies will not provide processors, ISOs, or payment facilitators with coverage against fees, fines, and assessments issued by the card brands.
 
On June 10, 2014, P.F. Chang’s learned that hackers had obtained approximately 60,000 credit card numbers belonging to its customers.  P.F. Chang’s turned to its cyber insurance policy to cover the costs of the data breach.  The policy had been advertised as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches.”
 
Under the cyber insurance policy, P.F. Chang’s was reimbursed for approximately $1.7 million for the cost of an investigation and defending litigation.  However, the insurance company denied coverage of three assessments by MasterCard: a Fraud Recovery Assessment of $1,716,798.85; an Operational Reimbursement Assessment of $163,122.72; and a Case Management Fee of $50,000.  These assessments were technically received by Bank of America, and not by P.F. Chang’s.  P.F. Chang’s used Bank of America Merchant Services (“BAMS”) for its payment processing services.  The assessments were contractually passed through to P.F. Chang’s under its merchant agreement with Bank of America.  P.F. Chang’s filed a lawsuit seeking to recover the amount of the MasterCard assessment.
 
In its opinion, the court sided with the insurance company.  The court found that the Fraud Recovery Assessment was not covered because: P.F. Chang’s received the assessment from BAMS pursuant to its merchant agreement; BAMS did not suffer any privacy injury (as it was the issuing bank’s records that were breached rather than the acquiring bank’s records); and the policy only covered claims brought by those persons whose records were accessed without authorization.
 
In addition, the court found that all three MasterCard assessments were excluded from P.F. Chang’s coverage.  The policy excluded any liability contractually assumed, an exclusion commonly found in insurance contracts.  This exclusion means that any loss incurred by P.F. Chang’s as the result of a contractual relationship (in this case as a result of its merchant agreement with BAMS) would not be covered.
 
Processors, ISOs, and payment facilitators are typically liable for card brand assessments incurred by their sponsor financial institution under their sponsorship agreement.  If you suffer a breach, you may incur card brand assessments.  If one of your merchants suffers a breach, and the merchant isn’t able to pay the related assessments from the card brands, you will likely be liable for the assessment.  Would your cyber insurance policy cover such expenses?  It would be worth your time to check on your insurance coverage and, if appropriate, work with your broker to adjust your insurance policy accordingly.
 
– James Kramer, Attorney, Jaffe Raitt Heuer & Weiss, P.C.

James Kramer

James Kramer

James is a member of the firm's Electronic Payment Group, Corporate Group and Business Transactions Group. James counsels clients on contractual, regulatory, and compliance matters as well as on purchases, sales, mergers, and acquisitions. He routinely advises and negotiates on behalf of financial institutions and entities in the electronic payments industry.

jkramer@jaffelaw.com

Next Generation Payment Systems

27 Oct

Given the importance of payment infrastructure to the global economy, and the lucrative prospects of owning or running such infrastructure, it will come as little surprise that many entrepreneurs are racing to develop new payment solutions and large payment companies have been on acquisition sprees as they seek to update and build out their existing networks.

This focus on developing new payment systems and enhancing existing payment systems has caught the attention of the Consumer Financial Protection Bureau (“CFPB”).  For the benefit of those working to develop and improve their payment systems, the CFPB has issued nine consumer protection principles to keep in mind in connection with such development:

1. Consumer Control Over Payments.  Consumers should have control over payments, including their authorizations, the length of time for which such authorization is valid, and the ability to revoke an authorization.

2. Data and Privacy.  Consumers should be kept informed as to how their data is used, who has access to their data, and potential risks associated with transfer of their data.  Data collected should only be used to benefit consumers, and consumers should be able to specify what data is accessible by third parties.

3. Fraud and Error Resolutions Protections.  The system should incorporate protections against mistaken, fraudulent, unauthorized, and erroneous transactions.  The system should also create adequate records for post-transaction evaluation, allow the reversal of erroneous and unauthorized transactions, and comply with all regulatory requirements.

4. Transparency.  Consumers should have real-time access to information about each transaction, such as payment confirmations and receipt of funds, as well as timely disclosure of costs, risks, fund availability, and security.

5. Cost.  Fees charged to consumers should be disclosed in a way which allows consumers to compare the costs of using different payment options and should not obscure the full cost of making or receiving a payment.

6. Access.  The system should be broadly accessible to consumers, widely accepted by businesses and other consumers, and permit access to such system through qualified intermediaries.

7. Funds Availability.  The system should provide fast guaranteed access to funds.

8. Security and Payment Credential Value.  The system should have built in protection to detect and limit errors, unauthorized transactions, and fraud.  These protections should safeguard against and respond to data breaches.  The System should enable gateway institutions to offer enhanced security protections and limit the value of consumer payment credentials.

9. Accountability Mechanisms.  The system should align the incentive of system operators, participants, and end users.  Commercial participants should be accountable for the risks, harm, and costs they introduce into the system and should be incentivized to prevent and correct fraudulent, unauthorized, or erroneous transactions.  The system should also have automated monitoring capabilities, incentives for participants to report misuse, and transparent enforcement procedures.

The release from the CFPB is available here: http://files.consumerfinance.gov/f/201507_cfpb_consumer-protection-principles.pdf.

We recommend that those companies running or developing any type of payment system accommodate the above principles in their development process.  As this is a rapidly changing area of the law, we also recommend staying up to date with the latest requirements and recommendations of the CFPB and other applicable regulatory agencies.

– James Kramer, Attorney, Jaffe Raitt Heuer & Weiss, P.C.

James Kramer

James Kramer

James is a member of the firm's Electronic Payment Group, Corporate Group and Business Transactions Group. James counsels clients on contractual, regulatory, and compliance matters as well as on purchases, sales, mergers, and acquisitions. He routinely advises and negotiates on behalf of financial institutions and entities in the electronic payments industry.

jkramer@jaffelaw.com

Surcharging Card Transactions

1 Jun

Surcharging has been making its way back into the news recently.  As the result of settlement agreement in In re Payment Card Interchange Fee and Merchant Discount Litigation, in January, 2013 Visa and MasterCard revised their rules to permit merchants to surcharge credit card payments under certain conditions and within certain limits.  Although the effective date was more than two years ago, it will come as no surprise to those in the industry that credit card surcharging remains a highly contested topic.

Several states ban surcharging outright and a majority of state legislatures have considered legislation regulating surcharging.  In addition, lawsuits have been brought in four states challenging the statutory bans based on first amendment grounds.  The argument set forth in these cases boils down to this: surcharging prohibitions effectively regulate how merchants communicate their prices to customers, and thus violates the merchants’ right to free speech.  At the district court level, California and New York have sided with the plaintiffs and granted injunctions preventing enforcement of the surcharge prohibition statutes, while Texas and Florida have upheld the surcharge prohibition statutes.  Each of these cases has already been, or will likely soon be, appealed.

In most states, surcharging remains a viable option so long as the merchant’s acquiring bank supports the practice.  Surcharging can be in the form of a fixed or variable charge to all credit transactions, referred to as brand level surcharging, or a fixed or variable charge to all transactions of the same product type, known as a product level surcharge.  For those merchants interested in surcharging, several requirements set by the card brand rules must be met.

The merchant and its acquirer must provide the card brands with at least thirty days advanced notice that the merchant is going to surcharge.  In addition, adequate disclosures must be provided to the customer.  Generally the disclosures should include the surcharge dollar or percentage amount, a statement that the surcharge is being assessed by the merchant and is only applicable to credit transactions, and a statement that the surcharge is not greater than the applicable merchant discount rate for the credit card transaction.

In addition to the disclosure requirements, merchants may only surcharge credit transactions.  Current card brand rules cap the surcharge a merchant may apply to a payment.

Merchants that would like to take advantage of the new authority to surcharge card transactions should carefully review the relevant rules and laws and monitor legal developments.  If properly implemented, surcharging can be a useful tool for merchants to cover the costs of accepting credit cards.

– James Kramer, Jaffe Raitt Heuer & Weiss, P.C.

James Kramer

James Kramer

James is a member of the firm's Electronic Payment Group, Corporate Group and Business Transactions Group. James counsels clients on contractual, regulatory, and compliance matters as well as on purchases, sales, mergers, and acquisitions. He routinely advises and negotiates on behalf of financial institutions and entities in the electronic payments industry.

jkramer@jaffelaw.com