Law360, New York ( June 9, 2016, 12:48 PM EDT) -- For merchants, accepting payment cards is not really a choice. Most focus primarily on the cost of card acceptance. Some understand that accepting payment cards brings a contractual obligation to follow payment card industry data security standards (PCI DSS) to protect card data. However, a much smaller number are aware of the significant potential liability that exists if payment card data from cards swiped at the point of sale is stolen. Often casually (but incorrectly) referred to as "PCI fines and penalties," the contract a merchant signs with its acquiring bank/payment processor or directly with a card network imposes obligations that result in the merchant being obligated to pay for financial assessments related to noncompliance fines, case management fees, card reissuance charges and counterfeit fraud. Thus, "PCI indemnity obligations" is a better description. The components that are labeled fines and fees are relatively modest, but the liability assessments related to card reissuance and fraud are often the single largest expense a merchant incurs after a payment card incident. Relatively small incidents affecting only a few hundred thousand cards can lead to millions of dollars in liability....