If you sell mobile POS devices to a merchant, and a cybercriminal compromises that hardware, what are the chances you'll be held financially responsible?
It's an appropriate question to ask in light of the vulnerabilities POS systems possess. Verizon's 2016 Data Breach Investigations report noted POS intrusions were at the root of 64 percent of retail data breaches last year. Given that statistic, it's likely one of your customers fell victim to hackers in 2016. Is it possible you may face a lawsuit? How can you protect yourself from liability?
Identifying legal responsibility in a POS data breach
From a litigious standpoint, the one most likely to face a civil or criminal suit in the wake of the breach is the data owner. In many cases, a merchant who experiences a data breach would be considered the data owner. So, the short answer is that you, as a POS reseller, would likely not be held liable if one of your customers were to experience a cyberattack.
With this in mind, it's also worth noting that, as of this writing, the U.S. doesn't have any federal laws that specify what private businesses are obligated to do in the wake of a data breach unless they collect, process and manage health care information, according to HG.org, an online legal resource. However, the National Conference of State Legislature noted that 47 states do enforce legislation stipulating what private enterprises are supposed to do in the wake of a security breach.
From a purely legal standpoint, it's unlikely you'll be fined in the event of a data breach. However, that depends on whether you, as the POS reseller, are responsible for managing, processing or storing consumer credit card data. This likely isn't the case, so you probably don't have to worry about facing action from state or federal authorities.
Financial liability in debit and credit card fraud cases
Banks and payment processors typically have to cover the costs of fraudulent charges to debit and credit cards in the wake of data breaches, even if they've taken the proper steps to protect customer data. In the wake of such incidents, financial institutions (FIs) and processors often take businesses to court.
For example, ID Experts noted small FIs sued Home Depot and Target after both of their POS systems were compromised. Law360 noted First Choice Federal Credit Union filed a class-actions suit against the company which claimed that FIs will have to reissue affected cards, close certain accounts and provide refunds to affected customers.
There have been cases when businesses that experience data breach take civil action against POS manufacturers and resellers. In 2010, attorneys Charles Hoff and Shiel Gallagher filed a lawsuit against Restaurant Data Concepts - creators of the POSitouch system - and CC Production, a New Jersey-based reseller on grounds that the latter parties sold POS systems that were not compliant with PCI-DSS standards. The suit's case was largely based on a forensic audit into the POSitouch system which, at the time, did not adhere to PCI-DSS guidelines.
How POS resellers can protect themselves from data breach liability
There are three steps you can take to ensure you can defend yourself in court if a business files a suit against you, claiming that you sold insecure devices or POS systems to them:
- Obtain your QIR certification: If you haven't obtained a Qualified Integrators & Resellers certification from the PCI Security Standards Council, look into doing so. Obtaining this accreditation will not only protect your business if you have to go to court, but also help you establish relationships with new merchants.
- Sell EMV PIN pads: As of October 2015, U.S. merchants that do not allow customers to pay using EMV chips will be held liable for fraudulent transactions. The Strawhecker Group, a management consulting firm, found that despite this incentive, only 37 percent of U.S. merchants were EMV-ready as of February 2016. The costs associated with obtaining PIN pad certifications and purchasing the EMV-compatible hardware, in general, is deterring merchants. As a reseller, you can bundle EMV POS systems with payment integration technology that comes with built-in processor certifications, eliminating a major pain point with the EMV transition.
- Offer POS systems that provide tokenization: Tokenization replaces cardholder information with tokens, thereby vastly reducing the risk associated with transferring payment data from POS systems to payment processors.
If you're already following these steps, then chances of you encountering a suit are slim. Be on the lookout for POS security technologies that can help you protect merchants' operations. Doing so will go a long way in maintaining a lasting business relationship.