Even if your payment processor is responsible for the breach.
Indemnification is not mutual
We were asked by a client last week to review PayPal’s agreement for processing their credit card transactions. What we found did not surprise us but it typically surprises the merchants we work with. The agreement states that the merchant agrees to indemnify and hold harmless PayPal but PayPal doesn’t agree to indemnify or hold the merchant harmless for anything. This is critically important because it means if the merchant suffers a breach of PCI as a result of PayPal’s failure, the merchant is stuck defending themselves and paying the costs associated with the breach. While the merchant would have the ability to go after PayPal, the next clause in the agreement greatly limits that ability.
Limitation of Liability
Immediately following the indemnification language is the Limitation of Liability section which limits PayPal’s liability to 12 months of service fees. It further states they will have no liability for indirect or consequential damages. Breach response costs could easily be classified as indirect or consequential damages associated with PayPal’s failure to provide a secure environment to process your client’s credit card transactions. Even if you successfully argue these costs are direct costs, the most you’ll be able to recover from PayPal is 12 months of service fees. This amount likely won’t come close to covering your costs after a data breach.