Well, can they? I don’t really know the answer here, but I bet we find out in the coming year. I probably don’t need to run down the list of mass data breaches that have occurred in the acquiring business in the last two years. For anyone who reads the trades (or the New York Times for that matter), a quick list of the dead and wounded should suffice to remind us all that the problem is real: TJ Maxx, Card Systems, and many others.
    This is a problem that no one knew existed 3 years ago. It’s already killed a number of companies in our business and wounded (perhaps mortally) a couple of retailers. Who’s next? POS software makers? You bet. Processors? Possibly. Associations? Maybe. ISOs? ISOs aren’t in the direct line of fire here, but it seems to me that they could be collateral victims. Here’s how.

Incomplete Disclosure Resulting in Action by Retailers Against the ISOs.

    ISOs sell equipment and software made by third parties. Much of this equipment was designed and built with pre-internet software security standards in mind. Many of the systems operating today have adapted to the internet through successive patchwork additions. This approach does not result in a high security environment. ISOs may have sold equipment and software that does not meet today’s or tomorrow’s standards for security. Could the sales agent be liable to their customers in the event of a breach? The ISO may be able to pass this liability on to the manufacturer, if they are still in business and can handle the consequences. One place to look for reassurance: your contract with the vendor. Does it specify that the ISO is not responsible for this kind of liability? I would guess that there is no language on the subject in the typical sales contract since the contract was probably written before this issue arose.

Processor – Bank - ISO Liabilities.

    When Card Systems experienced a mass data breach in 2005, everyone knew the company was liable for the consequences. It wasn’t clear at the time what the consequences would be: how much money was involved and who would or even could pay the bills? It was not at all clear that Card Systems had enough money to cover the damages. The fact that the company was privately held contributed to the confusion. Combine that with a slow reaction from the Associations, a very slow reckoning of total liabilities from issuing banks and the result was a highly uncertain environment for making business decisions. Everyone scrambled to cover their potential liabilities, real or imagined. And they used any method available to them.
    The episode brought up a number of interesting questions worth considering. Are ISOs liable for the consequences of a data breach? It’s not clear. Card Association rules dictate that the member bank holds the liability for this kind of thing. What the member bank does after that is the member bank’s decision.
    If there’s no language in the bank-ISO contract about this issue (and generally there is not), then the bank can take whatever action they deem necessary to protect their position. I’m not suggesting that such action has a strong legal foundation simply because the ISO/bank contract is silent on the issue. But often in business, the stronger party takes action and forces the weaker party to fight it, which the weaker party usually can’t. Imagine what would happen to your ISO if your bank were to withhold one or two residual payments to protect their financial position. Perhaps the bank would simply say that your risk reserve amount should be used to cover such losses and it will have to be replenished over time. Either way, the ISO is out the money.
    It seems as if data breaches are a continuing fact of life in the business for at least the next several years. Acquiring software systems are now pawns in the ongoing escalation of tricks and schemes that make up the cyber battle between data security experts and hackers world wide. Who will win? Eventually, the hackers tire of the chase, or find easier prey elsewhere and move on, like the hyenas of the internet that they are. When that happens, this whole issue will calm down. But before that day, there will be a lot of attention paid to contract language and there will be some real damage done in our world. Check your contracts and make sure they are tight on this issue. The time to protect yourself is now, before a breach happens. Once a breach occurs, it’s too late to fix the terms of your contracts.

Harold Montgomery is the CEO of Calpian, Inc. an ISO in Dallas, Texas, providing merchant acquiting, check guarantee and debit processing services. You can contact Harold at 800.589.1173 or portfolio@calpian.com.