Home Firm Overview Practice Areas
Corporate, Capital Formation and Securities Law
Financial Services, Private Funds and Capital Markets
Litigation and Dispute Resolution
Real Estate, Environmental and Construction Law
Art Law
Creditors' Rights and Business Reorganizations
Employment Law
ERISA / Executive Compensation / Employee Benefits
Franchise Law, Distribution and E-Commerce
Intellectual Property
Trusts and Estates, Private Client & Tax Exempt Organizations
Governmental and Regulatory Investigations
Staffing Industry
Tax Law
Technology, Outsourcing and Telecommunications
 Attorney Profiles In The News
Announcements
Upcoming Speaking Engagements
Recent Speaking Engagements
Other News
 Publications
Recent Publications
Articles by Topic
Newsletters
 Recruiting Contact Us

Publications » Articles by Topic » Technology, Telecom and Outsourcing » Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS)

By Mark Grossman

Co-authored by Tate Stickles

Credit card security has come a long way from the days when a bored clerk ran your card through the credit card slider to make an impression. There'd be a copy for you, a copy for them, and "mystery copies" going who knows where. And let's not forget the carbons that dropped out as the clerk ripped apart the credit card slip, which were immediately dropped into the trash without any shredding. Fortunately for all of us credit card fraud took a lot of work back then, often involving dumpster diving.

Times have changed. While you often still have to deal with a bored sales clerk, unless the power or data connection is down, odds are they won't take an impression of your card. We've advanced to sliding the cards ourselves, or tapping our card if it has the right chip imbedded inside. And those carbons are ancient history.

As we all know, accompanying the advances in technology has been an explosion in identity theft, online fraud, and database breaches. Data security is on the minds of everyone and a variety of government and industry efforts have been enacted recently to protect credit card data. You've probably heard of government efforts such as Gramm-Leach-Bliley, HIPAA, and Sarbanes-Oxley. Today I'd like to throw another compliance program by you, this one created by the private sector.

Originally individual card companies had their own security programs designed to protect consumers by requiring companies to meet minimum levels of security when dealing with consumer data. The companies wanted merchants and other companies accepting credit cards to protect the account numbers, expiration dates, and other card data. However, a few years ago a few of the major card companies came together and combined their efforts.

The Payment Card Industry Security Standards Council (Council) (www.pcisecuritystandards.org) has come up with a new card industry standard for companies that handle credit card data. The Council is an independent standards body originally formed by five major card companies: American Express, Discover Financial Services, JCP Co, MasterCard Worldwide, and Visa International.

The Council took the technical and operational security programs, policies, and best practices developed by major credit card companies and combined them to create the new Payment Card Industry Data Security Standard (PCI DSS). The Counsel designed PCI DSS to prevent electronic and paper theft of cardholder data before, during, and after card transactions. The PCI DSS govern all merchants and organizations that store, process, or transmit cardholder payment data ("Merchants").

This new standard, coming down as it did from the Council and major card companies without much (if any) input from Merchants has not been met with universal acclaim. Some Merchants think that what the card companies are really doing is transferring the risk of data breaches from the card companies to the Merchants. By establishing a minimum set of standards the industry can point to their standard and attempt to focus the liability and PR hit on the Merchants who are holding the data and suffered the breach.

This criticism is fair, but Merchants do have a duty to protect card data.

Merchants must be PCI DSS compliant or risk losing their ability to process card payments, risk being audited, or fined. All Merchants need to be PCI DSS compliant regardless of size. Compliance is mandated by the card companies and not the Council, and of course the individual card brands handle compliance differently. Methods of validating compliance vary, Merchants should check the PCI DSS website (https://www.pcisecuritystandards.org/) and their card brand or bank for more details. There's also an industry of PCI experts, auditors, and training out there.

Deadlines for compliance have already passed, so the Council states Merchants should check with their card company or bank if any specific deadlines apply to them. Merchants also need to check with their card company about penalties for non-compliance. Penalties include fines, increased transaction rates, and exclusion from processing card transactions.

Merchants were initially slow in complying with the PCI DSS, but the rates are compliance are increasing. Part of the problem has been the view by some that since PCI DSS is a private standard it lacks strong enforcement powers. I'm not sure how valid that criticism is. Iit seems to me that if you lose the ability to process credit card transactions that's a pretty strong remedy. Have you noticed the blank expression on people's faces when you tell them you only take cash? Lose the ability to take cards and you'll lose customers.

Another reason for slow compliance has been due to the fact that the Merchants have to cover the costs of satisfying the PCI DSS. For Merchants with lax or nonexistent security, there's likely to be a significant investment of time and money required to get things compliant. And it's tough to quantify if a Merchant will ever see a direct return on her investment.

I'd like to suggest that you shouldn't think of the PCI DSS as an additional burden for your company. Instead, consider it another security tool in your security plan. The Council's standard actually provides you with a lot of good network security information you can incorporate into your own security plan, and it can be used as a starting point in creating a new security plan.

The PCI DSS specifies 12 requirements for compliance that are broken down into six "control objectives." The control objectives and requirements are briefly described below. Space here is limited, so I strongly urge you to read the details on each of the objectives and requirements as set forth in the PCI DSS since each of the 12 requirements contains important additional details. The current version of the PCI DSS is available here: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security


This is the latest standard, and the current version of the PCI DSS (v 1.1) is due to be updated in October 2008.

Keep in mind that the PCI DSS is a set of minimum standards, you can always go above and beyond in protecting card data. If you're willing to invest the time and money to come up with additional measures beyond the Council's minimum standards, they're not going to complain.

Take a look at your current security plan. You do have one right? Odds are your current plan needs only minor tweaks to satisfy the PCI DSS.

PCI DSS is not perfect. It's only designed to prevent electronic and paper theft of card data-it does not prevent skimming and other forms of fraud. It also is not designed to police the Internet or be some sort of universal standard. Implementing these standards is good for business in this day and age of credit card theft.

 

New York Office   900 Third Avenue,   New York, New York 10022  Telephone: (212) 508-6700  Contact Us

Site Map Search Terms of Use Privacy Policy © Tannenbaum Helpern Syracuse & Hirschtritt LLP
Designed by Scorpion Design

This Web site contains Attorney Advertising.
Prior results do not guarantee a similar outcome.

Tannenbaum Helpern Syracuse & Hirschtritt LLP provides legal advice only to individuals or entities with which it has established an attorney-client relationship and such advice is based on the particular facts and circumstances of each matter. Contacting us through this site, or otherwise, will not establish an attorney-client relationship with us. Any e-mail or other communication sent to THSH or its lawyers through this site will not be treated as subject to the attorney-client privilege or as otherwise confidential and you should not include any confidential information in any such communication.