The Tip Out: How to Protect Payment Card Info

By Steve Cannon, Constantine Cannon

July 2, 2014

Back in May, the Alliance held a lively and informative seminar on a serious topic: breaches of a hospitality industry provider’s payment card data.

The three seminar leaders were Steve Cannon and Jeff Shinder of Constantine Cannon LLP, and Steve Mott, Principal, BetterBuyDesign.

In case you missed the seminar or could do with a reminder, here is a rundown of what you need to know in order to protect your business from credit card data breaches!

The seminar addressed four key areas:

1. The hospitality industry is a key target for payment card data compromise activity.

While recent press attention has focused on data breaches at major retailers; restaurants and hotels are among the most commonly affected by payment card system data breaches.  Moreover, data security firms report that such breaches are largely a problem of small and medium-sized businesses. Indeed, multiple seminar participants expressed concern about the impact of potential data breaches on their businesses.

2. Hospitality industry operators need to be prepared and take steps to minimize data breach risk.

Merchants are contractually bound by their agreements with their card processors/banks to comply with the payment card industry’s data security standards (PCI-DSS) and thus need to work with their vendors to achieve compliance as part of their data security strategy.   However, PCI-DSS compliance alone does not equate to robust risk management—merchants must incorporate security awareness and procedures into the routines of all employees with access to card devices, payments, and systems.  For example, merchants should monitor networks for unusual activity or server attempts to send data to unauthorized Internet addresses.

3. Hospitality business operators are advised to act proactively to minimize their business’s liability and risk and to preserve customer goodwill.

Card networks may impose fines and/or seek recoveries for a portion of costs and fraud losses claimed by issuers of potentially compromised cards.  These assessments are technically imposed by Visa and MasterCard on a merchant’s “acquiring” bank.  However, under the indemnification provisions of the agreements merchants have with their processors/banks, the processor may seize funds from the merchant’s transaction cash flow to fund a “reserve account” to cover expected network assessments—even before the networks finalize the amounts the acquiring bank/processor may be obligated to pay.  Further, processors act as a “gatekeeper” between merchants and the card networks during all aspects of a breach investigation.

Several proactive steps for hospitality merchants to take were discussed:

  • Immediately notify your processor/acquirer and direct-contact brands (American Express), and law enforcement if a breach is suspected.
  • If notified of a possible breach by card networks, notify law enforcement, or vice versa.  In all cases, notify your systems vendor/integrator.
  • Consider hiring a PCI-Qualified Forensic Investigator immediately; the card networks are likely to mandate such a step if they conclude a data compromise incident is in progress or has occurred.
  • In consultation with your IT vendor and/or investigator, disconnect compromised systems and preserve all evidence and access logs.  Cooperate with the investigator, but be sure to correct any investigator misunderstandings of the situation.
  • Provide requested information and certifications within network-specified time frames.
  • Comply with New York’s data breach notification statute.
  • Implement a communications strategy to keep customers informed of a potential breach and of your remediation efforts.
  • Be alert to, and work with your processor to take advantage of the opportunity given to your processor/acquirer to appeal card network fines and assessments, usually within 30 days of the processor/acquirer receiving notice of fines and assessments.

4. Learn about changes underway in card technology and rules affecting card acceptance.

Most significantly, the process of transitioning point-of-sale terminals to accept chip-equipped (“EMV”) payment cards that minimize the potential for counterfeiting is underway.  Both Visa and MasterCard have announced programs to incentivize merchants to install complying chip-capable terminals, including possible forgiveness of fraud and reimbursement assessments.  Payment transactions are also going mobile, with a variety of technologies and providers entering the market, a development that may be particularly relevant to hospitality providers.

Litigation working its way through the courts will also affect merchants’ ability to surcharge Visa, MasterCard, and American Express cards.  The ultimate impact on those in the hospitality industry will depend on final judicial resolution of the issues before trial and appellate courts, including the trial of a Justice Department complaint regarding American Express’s anti-discrimination and anti-steering rules.

A copy of the presentation given at the seminar is available here.

For further information, contact Steve Cannon at 202-204-3502,; Jeff Shinder at 212-350-2709,; or Steve Mott, 203-536-0588,

Constantine Cannon specializes in the payment systems industry and represents merchants in disputes regarding payment cards, including litigation regarding card acceptance rules, interchange fees, and data security. 

BetterBuyDesign specializes in designing and implementing electronic commerce initiatives that utilize emerging digital transactions.

{ join our }