Thursday, July 29, 2010

Merchants - not service provider - liable in case of data breach

PC Guy writes in StorefrontBacktalk: Who will be liable if the service provider’s system is breached, or if the software or systems provided to the merchant contain vulnerabilities that enabled a breach?

In almost ever case, it is the merchant who will be held responsible by the acquirer and card brands, because those parties have no contractual relationship with the service provider. In theory, the merchant might be able to file a claim against the service provider, but many service providers require merchants to waive the right to such claims. Some even require merchants to indemnify the service provider against claims from third parties (i.e cardholders and acquirers).

Even assuming the merchant did sue, and win, it would probably be a hollow victory: Most service providers lack sufficient resources to pay tens of millions of dollars (or more) in claims that could be made against them by the hundreds or thousands of merchants they service.

Using a service provider does not automatically provide a merchant with a “free pass” to avoid liability, regardless of what the merchant’s agreement with the service provider might state.

No comments:

Web Analytics