One of the biggest challenges of modern commerce is protecting debit and credit card data. The 16 digits embossed on a credit or debit card serve to facilitate the vast majority of transactions occurring worldwide, enabling cardholders to purchase—via a single swipe—virtually any good or service over networks that connect to almost every merchant, and every major bank.
Yet the very features that make card numbers so powerful in facilitating commerce also make them one of the most sensitive pieces of data that comprise a person’s personal identity. In the wrong hands, those 16 digits could permit thieves to steal thousands of dollars within minutes—by racking up unauthorized charges or draining bank accounts—and could create identity-theft losses lasting a lifetime.
Yet every time a customer uses a card to make a purchase—an event that occurred 44.7 billion times in the past year alone—individuals must expose that sensitive data and turn it over to a merchant for safekeeping. See 3 The Fed. Reserve, The Federal Reserve Payments Study 2019 (2020), http://bit.ly/3vqLTrm. If even one of those merchants experiences a data breach, card data from every register within a merchant’s system could be exposed, allowing bad actors to access the credit-card numbers for thousands—or millions—of the merchant’s customers. Accordingly, the benefits and risks of card transactions make the problem of securing card data an issue of pressing concern for every stakeholder in the card-payment system.
Banks and other financial institutions must address these issues because they are subject to a comprehensive set of regulatory and oversight requirements mandated by federal law. But merchants have so far escaped regulation that would bring their links in the chain of data custody up to banklevel standards. As a result, merchants experience card data breaches more than six times as often as financial institutions, despite controlling far less actual card data. Identity Theft Res. Ctr., 2019 End-of-Year Data Breach Report at 2 (2019).
Yet merchant data security is an attainable goal, as Visa has demonstrated with its GCAR Program. This program protects the physical and financial integrity of Visa’s network from the threats posed by merchant data breaches, while providing protections for every stakeholder within the network. The GCAR Program protects cardholders by requiring acquiring banks to ensure their merchants take commonsense precautions to secure their customers’ card numbers—measures that, if followed, virtually eliminate the risk that cardholders will suffer harm from data breaches of merchant card acceptance systems.
The GCAR Program also protects the banks that issue cards. If a merchant fails to take those commonsense steps and a data breach results, the program’s liquidated damages provision, the GCAR Assessment, requires the merchant’s acquiring bank to compensate the cardholders’ issuing banks for the frequently numerous, often immeasurable, and usually unrecoverable costs they incur because of the merchant’s failures. And the acquiring banks can—and usually will—pass those costs on to merchants.
Yet the GCAR Assessment also protects the merchants themselves, and their own acquiring banks, by providing a fixed, fair, efficient, and capped mechanism for resolving liability for data breaches. And of course, the program benefits Visa, and supports the value its network extends to endusers, by ensuring its entire card-payment ecosystem continues to function and attracts new cardholders, new issuing banks, new acquiring banks, and new merchants. The GCAR Program and the GCAR Assessment are thus critical components of Visa’s card-payment system.
The lower court’s judgment in this case strikes at cornerstones of that system. If the lower court is correct, and the GCAR Assessment is an illegal contractual penalty, then merchants can simply delete the GCAR Assessment from their contracts at their pleasure. That will strike a blow to the entire GCAR Program and upset settled expectations of all the players in Visa’s payment-processing network. It will make cardholder data less secure. It will force banks, and ultimately their customers, to absorb losses for data breaches they did not cause and could not prevent. It will compel changes to mutually agreed-upon, industry-standard practices that have governed card-payment networks nationwide for nearly a decade. And it could threaten the very integrity of Visa’s payment system. Accordingly, it is vital that the Court reverse the lower court’s erroneous judgment and restore the GCAR Assessment provision in Sally Beauty’s acquiring bank’s contract with Visa.
Download the amicus brief to read the full text.