Compromised Data Expense Reimbursement Policy


Program Overview:

The Merchant Breach Coverage Program is a new and unique program to reduce your financial exposure by waiving your liability for card association expenses resulting from a suspected or actual breach of customer credit card data within your merchant account. The data breach can be either a system/network breach or the physical theft of the credit card data from

stolen receipts, stolen computers, skimming, or even employee theft. The program applies to all Level 3 and 4 merchants (based on transaction volume), regardless of their level of compliance with the standard. 


The Program Waives Costs for:


* A mandatory forensic audit required of a merchant by the card association when a data breach is suspected.

* Card replacement costs and related expenses resulting from the data breach required by a card association.

* Fees, fines and penalties levied against a merchant by a card association as a result of a data security breach.


The Program Limits:


Each merchant account has up to a maximum of $100,000 per program year and a total aggregate of $500,000 per program year for all of your locations.

Frequently Asked Questions:


Why do merchant accounts need this program?


If a merchant account suffers a suspected or actual data breach, the business responsible for the merchant account could incur thousands of dollars of unexpected costs in the form of audit expenses, card monitoring and replacement expenses, and fines. These costs could significantly affect revenue and could even cause them to go out of business. The Merchant Breach

Coverage Program reduces a protected merchant account's financial exposure when a presumed or actual data compromise occurs, thus providing peace of mind!


What is the protection limit?


The maximum protection is $500,000 per incident for each merchant account.


If a merchant agreement has multiple accounts, is each account protected for $500,000?


The Merchant Breach Coverage Program provides protection on a per-merchant account basis, but an incident and annual limit of $1,000,000 does apply to a merchant agreement.


Can any merchant account qualify for this program?

Any merchant account that has enrolled in the Merchant Breach Coverage Program is eligible, provided it has not already suffered a data compromise. Level 1 and 2  (based on transaction volume) are not eligible for this program at this time.


Are Level 3 and 4 merchant accounts (based on transaction volume) breached often?

Absolutely. 90 percent of card data breaches occur at small businesses with fewer than 1 million transactions per year.


If the transaction processing system used with a merchant account does not store magnetic stripe data, can it still have a data compromise?

Yes! While it is true that merchant accounts that store magnetic stripe data are the most vulnerable, there are a number of other risks. For example, missing or outdated security patches, using vendor supplied default settings and passwords, SQL injections by hackers, unnecessary and vulnerable  services on your servers, stolen receipts, stolen computers, employee theft,

and skimming can all lead to significant data compromises and subject the merchant account to audits, card replacement costs, and fines.


If a merchant account is certified to be PCI-DSS compliant, does it still need to enroll in the Merchant Breach Coverage Program?


Yes! Certification of PCI-DSS compliance is not a guarantee that a breach will not occur. The best analogy is: "You can have the best alarm system in the world, but it is useless if you don't turn it on." Also, the Merchant Breach Coverage Program includes employee theft and the physical theft of data. PCI-DSS compliance alone cannot prevent these losses.

To report a data compromise, please call Tim Smit, Lockton Account Executive,
at  Tel:303-414-6011 or email
 with a subject line:

​​CyberIDLock Question or CyberIDLock claim

IMPORTANT: Merchant must have the following information in order to file a claim:
1. MID number

2. Date and time of incident

3. Name, phone number and email address of person that Insurance Carrier should contact.


For any expenses to be paid under the Merchant Breach Coverage Program, those expenses must be assessed by the card association against the merchant as a result of an incident. A qualifying "card association" would be any one

of the following entities formed to administer and promote cards: MasterCard International, Inc., VISA U.S.A., Inc., VISA International, Inc., Discover Financial Services, American Express, JCB International Credit Card Company, Ltd. or any of the following Debit Provider Networks: Exchange/Accel, Interlink, Maestro, NYCE, Plus, PrestoLink, Shazam and STAR.


For hardware and software upgrade expenses to be paid under the Merchant Breach Coverage Program, the upgrades must have been ordered by a card association to avoid a PCI assessment from being issued as the result of an incident.


For other support assistance / inquiries, contact the Lockton Support Department:


ATTN: Tim Smit, Lockton Account Executive

Direct:  303-414-6011