Why Braintree Won't Indemnify

Re:Braintree Payment Solutions, LLC
Our Client:Braintree Payment Solutions, LLC
Subject:Indemnification

As counsel to Braintree Payment Solutions, LLC (“Braintree”), I created this letter to address the issue of why Braintree does not indemnify its merchants, including, but not limited to, for any issues as it relates to data security breaches.

The Scenario:

With the upward trend of credit card data breaches merchants have been increasingly looking to find solutions that can mitigate both the high cost of achieving and maintaining PCI Compliance, and the substantial financial and business risks associated with a breach. When buying credit card storage services, merchants typically maintain two unfounded concerns regarding the ramifications of a service provider breach. First, they incorrectly assume that all of their customers will be able to track the breach back to them and second, that they will face the threat of lawsuits from their customers whose sensitive data was stored with this third party. Therefore, with these concerns in mind, merchants often want the service provider to indemnify them from these risks.

I will outline why these two concerns are unfounded based upon nearly a decade of industry experience. I will also explain that if merchants believe that indemnification from Braintree is necessary, they should be asking for indemnification from every single credit card processing provider they work with (and the many providers downstream that they never know about), to successfully accomplish their goal. Such a task is highly unlikely, and from my experience, nearly impossible.

Gaining a New Perspective: all providers store credit card data.

All credit card providers that service merchants, including those offering a payment gateway, merchant account, chargeback services, etc., handle and store their customers credit card data. These providers store the data primarily for purposes of refunds, chargebacks, analysis, recurring billing and subsequent purchases. Some, as in the case of Braintree, return a token that can be used to reference a credit card. Regardless if a token is returned, all of these providers store credit card data.

Yet, when merchants are contemplating credit card tokenization services, like those that Braintree offers, merchants inaccurately think that they're facing a new risk that needs to be addressed with an indemnity. The reality is, ever since the merchant has been processing credit cards, all their providers have been storing their customers credit card data, they just didn't return a token when they did it. So for consistency, if a merchant is asking Braintree for indemnity for handling their credit card transactions and tokenization, they should require the same from every other vendor they work with because there is no difference in risk.

Why Providers Won't Indemnify

Industry Standard. There are a few reasons behind the industry standard practice that providers won’t indemnify merchants. First, the economics don't support it. Margins are too low and risk is too high to offer indemnification. There are numerous historical examples of the substantial financial costs incurred by breached service providers. Most of these service providers are fortunate to survive, and none would if they would have maintained liability with their merchant customers. The credit card processing industry is unlike insurance where premiums can be collected to offset disaster costs when they happen. Margins are too low to cover such occurrences. For this reason, the industry standard has been to not indemnify merchants in the case of a breach.

Other Enforcement Methods. Second, there is an accountability structure already in place today with the card brands (Visa, MasterCard, American Express, Discover, JCB and Diners) for any service provider that is breached. For example, Heartland Payment Systems, one of the largest credit card processors in the industry, suffered the largest recorded breach in history in late 2008. At the time, they processed credit card transactions for over 200,000 merchants and it's suspected they had over 100 million credit cards stolen. Heartland, pursuant to the PCI DSS Standard and associated rules, was fined by the card brands for the breach and now faces a class action lawsuit from the financial institutions that issued those cards and suffered losses. The breach cost them half of their 1 billion dollar market capitalization.

Two items are important to note with regard to this breach. First, the cardholders were notified only that their card may have been compromised. The cardholders’ financial institutions did not give any additional information that could have linked the compromise back to a particular purchase or a particular merchant who was processing with Heartland. This is a standard notification protocol. Secondly, to my knowledge, no merchant has ever faced any legal challenges because their service provider was breached. Heartland was the breached party and therefore held responsible, not the merchant. These circumstances are not only with Heartland, but with every other breach I am aware of that has occurred during the past 10 years.

Business Decision For Merchants:

Merchants need to make a business decision regarding credit card storage and the lack of indemnification from providers based upon the perceived pros and cons. The case for remote credit card storage and related services is appealing from multiple standpoints, including: a) if a merchant eliminates the handling, processing and storage of credit card data, even if they are breached (internal or external job), there is no credit card data present to be stolen and b) some solutions can eliminate the scope of PCI Compliance by as much as 90%, thereby allowing merchants to significantly reduce the cost, time and effort associated with achieving and maintaining compliance and c) it's likely that service providers that specialize in credit card data security are more likely to prevent breaches.

In the end, the merchant has to make the decision of using remote storage with all its benefits, but without any indemnity protections. The alternative is to achieve and maintain compliance internally with the complexity of in-house credit card storage. That approach is of course accompanied with the associated learning curve, costs, risks and responsibilities.

We hope that this letter has been helpful in explaining Braintree’s position in regard to indemnification. Should you have any questions or comments, please do not hesitate to contact Braintree.

Very truly yours,
The Law Offices of Paul A. Rianda
Paul A. Rianda