Last year's statistics are in, and they once again show that data security breaches remain a pervasive risk. For instance, Privacy Rights Clearinghouse reported that 613 of the 4,176 publicly announced data breaches between 2005 and 2013 occurred last year. Many, and certainly the ones that attract much publicity, involve attacks on payment card information. Yet the media often fails to mention one of a merchant's greatest potential exposure risks: the contractual web through which card brands, like Visa and MasterCard, may try to impose assessments for card rules' violations on victimized merchants.

PCI

Merchants do not have direct contracts with Visa or MasterCard. Instead, as the illustration shows, acquiring banks contract with the card brands to allow the acquiring banks to permit merchants to accept Visa or MasterCard payment cards. American Express and Discover may have varying contractual arrangements, but the types of assessments imposed are similar to those discussed. To accept those cards in their stores, merchants contract with acquiring banks. The cards themselves are provided by issuing banks, which have separate contractual relationships with the card brands.