Keeping Merchant Information Confidential

19 Jul

Yesterday I participated in a panel discussion at the Midwest Acquirer’s Association meeting in Chicago.  The topic of the session was the duties every company in the payments space has to keep customer information confidential. 

Industry businesses know plenty about obligations to protect cardholder information by complying with PCI mandates.  But many are not aware of legal requirements to keep their customers’ (i.e., merchants’) personal information secure. 

ISOs and processors typically obtain personal information about merchant principals on the merchant account application form.  Names, addresses, social security numbers, driver’s license numbers, employment history, bank account numbers, and even credit card numbers are provided.  Such information is defined as personally identifiable information (“PII”) required to be kept safe by both Federal and state law. 

On the Federal level, the Federal Trade Commission has filed suit against a number of companies for failing to protect the security of customers’ personal information.   The lawsuits are based on a theory that the businesses have engaged in unfair or deceptive acts.  In those cases, the FTC alleged that the company did not follow reasonable or appropriate security practices, or made false representations regarding its security practices. 

On the state level, a number of states have laws that require businesses to maintain the security of PII.  For example, California law requires that: 1) businesses shred or modify customer PII to make the PII unreadable when the records are no longer to be retained; 2) companies maintain reasonable security procedures and practices to protect PII from unauthorized access; and 3) a company that discloses PII to a third party must require by contract that the third party implement reasonable security procedures to protect the PII.  

California takes this quite seriously.  In early July the California Attorney General stated that it will make it an enforcement priority to investigate breaches involving unencrypted personal information, noting that companies should tighten security controls on PII that they hold. 

State data security breach laws also come into play, which require that any business that maintains PII inform consumers of a data breach or the likelihood of misuse of that information.  Under some state laws, the Attorney General must also be notified.  Each applicable state’s law must be examined to determine specific compliance requirements. 

It turns out the PCI compliance is not enough:  payment companies would be well advised to research their obligations under relevant state law to prevent disclosure and misuse of their customers’ personal information. 


–Holli Targan, Partner, Jaffe, Raitt, Heuer & Weiss, P.C.


Holli Targan

Attorney & Partner

Leave a Comment Below

Leave a Reply

Why ask?