Hitachi Group Global Network




Middle East and Africa



Data Breaches and PCI Compliance: Risk Exposure and Third Party Processor (Part 2/3)
You are here: Home \ Compliance \ Data Breaches and PCI Compliance: Risk Exposure and Third Party Processor (Part 2/3)
Posted on Tuesday, April 25th, 2017 by

What is the risk exposure when an organization suffers a data breach and is not compliant with PCI DSS?


In my previous article, I explained that PCI non-compliant organizations can incur a wide variety of penalties because of the Merchant Agreements that they have in place with their banks. Such contracts are signed as soon as the organization accepts payments through credit cards, regardless of whether this payment processing is outsourced to a third-party service provider (TPSP).

Related articles:

However, organizations must also deal with two other categories of legal threats; regulatory costs arising from investigations and costs from class action lawsuits. We have discussed these in general terms in our blog post about the anticipated storm of litigation and compliance requirements and this webinar on the same subject. This post further analyzes the legal and compliance obligations and subsequent liability in the presence of a TPSP and the impact of PCI DSS non-compliance in this context.


Are you liable for a data breach even if you outsourced payment processing to a TPSP?

In principle, as Zetoony and Stout note, “retailers are not shielded from liability by their card processor or device manufacturers in the event of a payment card data breach”.

They add that this is often part of the operating agreements: “The fine print in the contracts for these products or services usually includes a number of provisions that place the liability on the retailer”.

In other words, if you accept credit cards, you are responsible to consumers and relevant credit card brands for any data breach that may cause financial damage to those parties.

Subject to the contractual limitations, however, the defendant can also turn against other third parties to claim part of the damages that it paid out because of a breach.

These include:

  • software developers
  • systems integrators
  • system outsourcing firms
  • data storage companies
  • systems security consultants
  • auditors


In principle, however, the retailer first absorbs the legal implications of the data breach (e.g. class action exposure, regulatory fines and contractual penalties) prior to any third party obligation.



What are the impacts of PCI-DSS non-compliance on liability?

Allegations of negligence, breach of fiduciary duty and breach of contract, individually, or together, are common in class actions (for more information, see our webinar on “The Developing World of Cyber Litigation and Compliance”).

Negligence, which is the issue alleged in most data breach suits, is typically defined in terms of a failure to use reasonable care or simply conducting business in a manner that is not considered reasonable for a prudent organization.

Examples of this may include not being PCI DSS compliant or not having measures in place that are otherwise covered by this standard, as well as not acting diligently in either the selection or oversight of the TPSP (see section “Some Advices on Dealing with a TPSP”).


In other words, legal systems do not require PCI DSS compliance (it’s mostly a contractual requirement) but they do require diligence and in this regard and compliance to applicable standards is a critical indicator. Let’s not forget that the PCI DSS covers the security of the entire cardholder data environment (CDE), and not only the storage or processing of cardholders’ data. Many of the measures that are mandatory include actions that are otherwise required by most legal precedents to mitigate risks. An example of this is Requirement 12.10 regarding the incident response plan and the specific actions that must be taken in such cases.

Vanessa Henri
About author:
Vanessa is an academic and legal expert on data protection laws, as well as a certified data protection officer. Currently, Vanessa is Hitachi Systems Security’s Director of Legal and Compliance as well as Data Protection Officer. She oversees the performance of privacy advisory services by Hitachi Systems Security to its clientele, including services such as GDPR Posture Assessments. She advises boards of directors at the macro-strategic level on the implementation of privacy obligations through efficient reporting systems. She has published a variety of data privacy-related materials and has contributed as a speaker to various conferences about data protection laws, such as Code Blue, in Tokyo. Vanessa is a member of the Quebec Bar Association, and holds a master’s in laws from McGill University. She also teaches corporate cybersecurity practices at St Thomas University, in Miami, Florida. She is a certified Data Protection Officer.

Latest Webinars | Watch Now


The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now