The Payment Card Industry Security Standards Council, in an attempt to provide better understanding and guidance on its standards, has announced it will update the PIN Transaction Security Standard, the Payment Application Data Security Standard and the PCI Data Security Standard within the year, and will work on implementing a three-year update cycle for them. The first of the updates will begin with the PIN Transaction Security Standard and end in October with final updates to the remaining two standards. In the future, the council plans to work on standards for mobile payment devices.
I came across an insightful interview with Bob Russo, general manager of the Payment Card Industry Security Standards Council (the “Council”), that was conducted by cnet news. The interview can be found here and it is a strongly suggested read.
The Council was created by Visa, MasterCard, American Express, Discover, and JCB for the purpose of creating a unified compliance program for organizations accepting and processing payment card transactions. The Payment Card Industry Data Security Standard (the “Standard”), available here, was created by the Council to deter credit card fraud. Many view these efforts as an industry-wide effort to apply uniform security practices, which largely has been the effect.
All organizations that enter into a merchant processing agreement to accept credit and payment card transactions must comply with the Standard in some manner. While the reporting requirements may be less onerous for organizations accepting payments below some fixed amount, in any event all such organizations must comply.
The Payment Card Industry Security Standards Council, which administers the PCI standards, has issued guidelines for applying its protocols to wireless technology. These Guidelines will help merchants incorporate wireless networking equipment without compromising data security. The Guidelines consist of nine requirements that provide guidance for testing and deploying wireless networks. Specifically, the Guidelines will help merchants to understand methods to secure their wireless networks. In addition, the Council formed a special interest group to develop recommendations for businesses to increase wireless security and reduce the potential for hackers to access wireless networks.
Minnesota made waves in 2007 when it became the first state to make part the Payment Card Industry (“PCI”) Data Security Standard applicable to its Plastic Card Security Act ( PDF Link). Although it has taken over two years, Nevada has become the second state to incorporate PCI and it has done so by making all of the PCI standard applicable.
Nevada’s existing Security of Personal Information law now requires that affected parties comply with PCI as a whole. Unfortunately, the Nevada amendment (PDF link) does not get off to a good start, requiring compliance deadlines that do not exist under the PCI standard, but are (in actuality) created independently by the card issuers. Amending the existing Security of Personal Information law, the amendment (PDF link) requires that each affected party meet the following standard:
If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.
The effect of the amendment itself is quite interesting. First, the amendment creates statutory authority for required compliance with the PCI standard, where before this requirement (as applied to merchants) existed only through contractual relationships. This will be academic for many merchants already complying, but it does go a long way to closing the existing gap whereby the PCI standard applied to merchants only because of contractual obligations with those parties directly affected.
Second, the amendment proposes a standard that creates some interesting outcomes. This safe guard provides that “[a] data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.” Previously, an affected party would have recourse under various theories of law, with varying (and often undefined) standards of care or duty. Arguably, absent gross negligence or willful misconduct, an otherwise PCI-compliant merchant that experiences a data loss may escape liability in Nevada.
It is also likely that a savvy litigator will argue that the standards created in existing contractual relationships should be replaced with the statutory standard. Whether such an argument would prevail remains to be seen, but it is likely to be tested sooner than later.
Notwithstanding the inexplicable compliance deadline error, the Nevada amendment blazes the way for other states to incorporate the PCI standard into their existing and new laws. With the addition of the safe harbor set forth by Nevada, these laws may be a welcome addition to merchants that are PCI-compliant but experience a data loss.