January 03, 2019 Practice Points

The Payment Card Industry Data Security Standard

By Leonard Wills

Founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa, Inc., the Payment Card Industry (PCI) Security Standards Council (SSC) incorporates the PCI Data Security Standard (DSS) to set technical and operations requirements to protect cardholder data. It applies to all entities that store, process, or transmit cardholder data. PCI DSS 3.2.1, released on May 2018, marks the latest version.

The PCI DSS deals with payment card data and cardholder information, including primary account numbers (PAN), credit/debit card numbers, and sensitive authentication data (SAD) such as CVVs. Each payment card company, however, has its own program for compliance, validation levels, and enforcement.

Though the PCI DSS is not the law, it applies to merchants in at least two ways: (1) as part of a contractual relationship between a merchant and card company, and (2) states may write portions of the PCI DSS into state law.

The PCI DSS consists of twelve requirements.

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Protect all systems against malware and regularly update anti-virus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need to know.
  8. Identify and authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

If a merchant experiences a breach because of PCI DSS noncompliance, the payment card brands may impose penalties on the merchant’s acquiring bank. The merchant’s acquiring bank typically passes the cost of the penalty to the merchant. The penalty costs between $5,000 to $500,000 per month. If breaches continuously occur, card brands can revoke a merchant’s right to process transactions with their cards.
In the event of a breach, the PCI DSS does not require merchants to notify the public or even the PCI SSC. Per the PCI DSS, however, merchants have an obligation to notify their payment processor of any breach. The payment processor then shares the information with the card companies. In reality, card companies usually first notify merchants of any breach because card brands notice patterns of fraudulent transactions.

According to the 2018 Payment Security Report released by Verizon, about 46 percent of companies in Europe and 39 percent of companies in America comply with the PCI DSS. These numbers show that overall PCI DSS compliance has declined—despite its proven effectiveness in protecting systems from breach and cyberattacks. The report notes that this disparity does not necessarily show company negligence but points to other issues such as maturity of IT systems or cultural appreciation of awards and recognitions.

Failure to comply with the PCI DSS can negatively impact a company’s reputation and have significant legal repercussions. Complying with the PCI DSS remains paramount in avoiding potential breaches or cyberattacks. Follow compliance best practices to ensure PCI DSS compliance and minimize liabilities.
 

Leonard Wills is a presidential management fellow in Washington D.C.


Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).