Failure to comply with the Payment Card Industry (PCI) Data Security Standard can potentially result in a host of “nasty things” happening to those without coverage, attendees to the 2016 International Cyber Risk Management Conference (ICRMC) heard last week.
Matthew Davies, assistant vice president – professional, media and cyber liability at Chubb Insurance Company of Canada, spoke during a session titled Cyber Insurance – Avoiding the Pitfalls on Thursday. He noted that retailers and processors of credit cards – including Visa, MasterCard and American Express – are obliged to be, “at some point” in their lives, PCI-compliant.
There is a different level of standard depending on the volume of transactions completed, with the highest standard for six million or more transactions a year and the fourth level being fewer than 20,000 transactions a year.
Davies pointed out that PCI coverage can be bought as an extension on cyber, but said he believes there is “a lot of misunderstanding about the nature of the need for that coverage and, secondly, the type of coverage some markets are offering.” And, he went on to say, the penalty for not being PCI-compliant is that if the credit card company believes there was a breach, “they will insist that you use their forensic investigator, an outside organization, at your expense to come in and do an investigation. If they find you are not compliant at the time the breach happened, there are all sorts of nasty things that can happen to you.”
For example, the credit card company could “assess you and take money out of your bank account to cover their expenses and their loss; they can refuse to pay you until such a time that they feel they have been reimbursed for the fraud; they can fine a penalty, which is rare.”
“In a cyber policy, in the absence of having PCI coverage, you are going to get coverage for the forensics investigation, if you are responsible and have to notify affected parties, you’re going to get that coverage,” Davies said. “You’re going to get the PR coverage, outside legal advice, and if you get sued by the banks, you are going to get coverage as well for the liability suit against you as well as any liability suit that may be brought against you by the affected parties. The only thing you wouldn’t get is that assessment.”
Added Davies: “Even if you outsource it, you say ‘I don’t actually collect the credit card information, it’s all passed off to an outsourced vendor and they are PCI compliant,’ that nanosecond that the data passes through your point of sale terminal, that’s the exposure.”
But Brian Rosenbaum, senior vice president, national cyber and privacy practice leader at Aon Canada Inc., told the audience that it’s made to sound like “everybody who offers credit cards has this wide open, free market situation” where they are telling people to sign these contracts. “The truth of the matter is if you want to offer debit, credit cards, they have you over the barrel, you have to sign this contract. My position is this is not a typical contract, it’s not a moral hazard situation, this is something the industry has to deal with” and come up with a solution for.
Davies said that for brokers who are looking to place this and get a PCI extension, it must be ensured that the contract liability exclusion is addressed. “You have to look at the definition of what does not constitute a loss, so liquidated damages. From an insurer’s point of view, there is no claim that comes in, so you get no opportunity to associate to the defence. There is no defence, it’s simply an administrative step that’s taken by the card issuer. The normal steps of processing and managing a claim are taken away from you.”