Published on January 25, 2018
What are the PCI DSS?
The Payment Card Industry Data Security Standards (PCI DSS) are developed and promoted by the PCI Security Standards Council (the “Council”). The Council was formed by the five of the most prominent credit card payment brands – American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. – in response to increasing credit card fraud and data security breaches.
The PCI DSS security standards are technical and operational requirements set by the Council to protect cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members through their individual compliance programs. While each payment brand has its own compliance program, the Council’s members incorporated the PCI DSS as technical requirements into their programs starting in 2006.
The PCI DSS have undergone several revisions since first established, the latest iteration – PCI DSS v.3.2 – being published in April 2016 It contains several important changes to the previous standard. However, the newly introduced requirements are not mandatory, and are considered “best practices” until February 1st, 2018, with the exception of the requirement referring to the migration from SSL and early TSL security protocols, for which the Council has extended the compliance date until June 30, 2018. The PCI DSS are built around a set of 6 goals a merchant, service, provider or other entity subject to PCI DSS must achieve to satisfy cardholder data security best practices. The latest version of PCI DSS can be downloaded by visiting the Council’s website.
Who needs to be PCI DSS compliant?
The individual payment brand’s data security requirements, including the PCI DSS integrated into them, apply to all entities where relevant account data (cardholder data and/or sensitive authentication data) is stored, transmitted or processed. This includes entities such as merchants, processors, acquirers, issuers, and service providers, even if the number of account data transactions in connection with the payment brand is minimal.
Each entity’s PCI DSS assessment process depends on its involvement in payment card processing, storage or transmission of credit card data, environment, the number of credit transactions, the payment card brands the entity deals with and other requirements set forth in the applicable payment brand’s compliance program(s). For example, merchants with high volume of card transactions may be required by the individual payment brand’s compliance program to validate compliance proactively, either by an external Qualified Security Assessor (QSA) or by a Council accredited internal auditor, and complete quarterly networks scans conducted by a Council approved scanning vendor (ASV). Smaller merchants have the option to complete an annual self-assessment in lieu of undergoing an audit.
What is the legal foundation requiring compliance with PCI DSS?
Unlike federal laws, the PCI DSS are not regulations or statutes enforced directly by the government, although some states have incorporated the PCI DSS into plastic card protection state laws. Nor does the Council enforce the PCI DSS directly. Rather, individual payment systems establish contractual obligations to comply with PCI DSS through contract chains (“PCI contract chains”).
The obligation to comply with PCI DSS is generally transmitted down the chain to merchants and service providers. First, the payment card brands establish a contractual relationship with merchant or “acquiring” banks to allow for the processing of payment card transactions. Such contractual relationship includes usually attaches an obligation of compliance with PCI DSS.
Second, the contracted merchant banks, directly or through payment processors, enter into agreements with merchants or service providers desiring to process payment cards. The obligation to comply with PCI DSS may be then transmitted to merchants through such agreements.
Further down the contract chains, merchants that are not prepared to undertake the burden of having their own network store, process or transmit credit card data enter into agreements with payment card processing service providers, while maintaining the compliance obligation.
What are the consequences of non-compliance?
As mentioned above, each payment brand maintains and enforces its own data security compliance program and establishes penalties from non-compliance.
Even though the obligation of compliance with PCI DSS may be contractually transmitted with relative ease down the PCI contract chains, the lack of a direct contractual relationship between payment brands on one side, and service providers and merchants on the other side, may pose some enforcement issues.
For example, merchants may not be legally required directly by the applicable payment brand to adhere to PCI DSS. However, in practicality, payment card processing companies usually force compliance through their agreements with the merchants and service providers, for example by refusing to process credit card payments if a business fails to comply.
In addition to contractual enforcement by payment card brands or payment processing companies, merchants are often confronted with a wide array of incentives to comply with PCI DSS. For example, according to Sections 12.8 and 12.9 of the PCI DSS, an entity’s service providers with access to cardholder data must adhere to PCI DSS. As such, an entity adhering to PCI DSS should impose downstream the obligation of PCI DSS compliance to protect itself against unwanted risk and match its own obligations of compliance. For this reason, merchants and service providers may simply not have access to the best suppliers or best service providers if they are unable to prove compliance with PCI DSS to the satisfaction of such suppliers or service providers.
Due to its increasing popularity and wide acceptance, PCI DSS have become the industry standard for minimum security requirements needed to process cardholder information. As such, PCI DSS could be considered a legal standard of care and attract liability for non-compliance under a “negligence” theory or as set forth in existing state legislation. Consequently, cybersecurity insurance and other insurance products may become unavailable or at an increased premium if PCI DSS compliance is not validated.
When should an attorney be involved when dealing with PCI DSS validation?
The reality is that PCI DSS compliance is not usually viewed as presenting a legal issue, and in many cases is assigned to a company’s internal security team or to an external QSA service provider who often coordinates with the company’s security team. Such teams then begin the assessment process based on their technical interpretation of the PCI DSS and make critical decisions, sometimes with little or no consideration to how their interpretation regarding security requirements may be viewed by a judge in a court of law.
Because of the internal pressure an organization is exposed to when undergoing a PCI DSS assessment, internal teams and QSAs may accept less the narrow interpretations of the PCI DSS, which may seem acceptable in the security industry world, but which may not enjoy the same level of acceptance in a court of law.
The increasing liability risk surrounding PCI DSS compliance demands that attorneys should be involved as early in the assessment process as possible. Experienced attorneys can be used, for example, to help the company choose a QSA or ASV vendor through a procurement process, to assist with the drafting or updating of necessary procedures and policies, to shield privileged conversations regarding the company’s security practices, and to draft or update existing legal papers to reflect the improved standards.