Copyright © 2011 Holland & Knight LLP All Rights Reserved
Payment Card Industry
Data Security Standards
January 19, 2011
3
PCI Standards Generally
• The Payment Card Industry Data Security Standards (or “PCI
standards” or “PCI DSS”) are industry standards promulgated
by the major credit card brands that are a baseline of important
security controls to safeguard sensitive cardholder data.
• The PCI DSS apply to all entities that store, process, and/or
transmit cardholder data: “If you are a merchant who accepts or
processes payment cards, you must comply with the PCI DSS.”
• The PCI Security Standards Council writes and updates the PCI
PCI Standards Generally
• The PCI DSS are not law.
• Rather, they are industry standards promulgated under contract
by a council of the major credit card payment brands to regulate
their member acquiring banks, who in turn are responsible for
ensuring that merchants and businesses, for whom they process
transactions, conform to the standards.
– But see S.B.227 (Nev. 2009), amending Nev. Rev. Stat. §603A. The Nevada law, among other things, mandates Nevada businesses to
5
PCI Standards Generally
• The PCI standards are a comprehensive set of 12 data security requirements imposed on all entities that process, store or transmit certain sensitive “cardholder data,” comprising merchants, banks and credit card transaction processors.
Credit Card Transactions
• Generally speaking, every time a cardholder uses a credit card to pay a merchant for goods or services, the issuing bank, acquiring bank and
merchant must interact to process and complete the transaction. Simply put, an “acquiring bank” is a bank that processes credit card transactions on
behalf of merchants, as opposed to an “issuing bank,” which issues credit cards to consumers.
• After the merchant’s computer scanners “read” the cardholder information contained in the magnetic strip, the merchant then sends the pertinent
account information through the network to the issuing bank. The issuing bank reviews the cardholder information and, assuming the card is valid with sufficient available credit, it authorizes the transaction.
7
Credit Card Transactions - Risks
• As the cardholder information is transmitted to and from the merchant over the Internet or wireless network, there are security risks.
• Cyber-thieves could potentially intercept the transmission and steal sensitive card information, which is why the PCI standards require encryption for card information transmitted over public networks.
– Sensitive information might include full magnetic-stripe data, CAV2/CVC2 (or other validation codes), or PINs and PIN blocks (a block of data used to encapsulate a PIN during processing), all of which are used to authenticate cardholders and authorize card transactions.
• In addition, criminals could also use malware to infiltrate the merchant’s own computer systems and steal consumer information; hence, the PCI
standards mandate numerous security precautions to protect against network intrusions, including firewalls, log monitoring, access controls, and periodic vulnerability scans to ensure the merchant’s system has not been
PCI Compliance
• Verification of PCI compliance can be performed by a Qualified Security Assessor, who will perform an on-site inspection and determine whether an entity is compliant and advise on how to maintain compliance.
• An Approved Scan Vendor performs quarterly vulnerability scans of a merchant’s or service provider’s Internet-facing environments to ensure compliance with the PCI Standards’ external vulnerability scanning requirement.
• In certain circumstances, smaller merchants that are not required to undergo on-site assessments may complete a self-assessment questionnaire.
Regardless, all merchants must meet certain security reporting requirements.
9
Merchant Levels
• For example, Mastercard's
security program, with the PCI DSS as its foundation, details the data security
requirements and compliance
validation
requirements to protect stored and transmitted
MasterCard
payment account data.
Why Comply?
• Failure to comply with the PCI Standards can result in fines,
additional audit requirements or the suspension of the ability to
process credit card transactions with particular payment card
brands.
• Generally speaking, the payment card brands may fine an acquiring
bank for PCI violations, with such fines likely passed down to
non-complying service providers and merchants.
11
Why Comply?
• In 2009, for example, the average data breach cost $6.75
million, about $204 per compromised customer record.
• Any data breach could result in grave reputational damage
and cost exposure:
– Investigatory and response costs
– Data breach notification costs (requirements vary under state law) – Court awards; settlements with consumers and payment card brands;
legal and expert fees
– Regulatory costs and settlements with the FTC and state attorneys general
– Future compliance and remedial costs
– Business costs, including damage to brand and consumer goodwill
Why Comply?
Recent Example
• In Jan. 2009, Heartland Payment Systems, a large payment
processor, suffered a breach that compromised 130 million
cards. The breach was caused by malware that infected its
networks and collected in-transit, unencrypted payment card
data during the transaction authorization process.
– After insurance reimbursement, Heartland’s breach cost over $114.7 million, principally for settlements. Approximately $30.3 million of the total charges were for legal fees and costs incurred for
13
Is Compliance Enough?
• Following several newsworthy data breaches, it was reported that the affected companies had been certified PCI compliant.
• Some commentators have cautioned that while the PCI standards are
excellent security baselines, they do not necessarily mean a network is 100% secure.
• Security should be a multi-layered, ongoing concern.
Merchant Liability Legislation
• Merchant liability legislation seeks to codify certain portions of the PCI standards and allow financial institutions to recover certain costs stemming from a merchant’s data breach, particularly issuing banks, which have faced obstacles in recovering their costs in reissuing credit cards following a
breach.
• Minnesota: Minn. Stat. §325E.64 (Supp. 2007): The law essentially codifies fundamental PCI standards regarding the protection of credit card authorization data into law for merchants conducting business in Minnesota that handle
sensitive consumer data. Financial institutions have the right to recover breach-related costs from merchants who retain certain credit and debit card transaction data beyond certain time frames.
• Washington: H.B.1149 . This merchant liability law applies to covered entities that process at least 6 million yearly payment card transactions and contains safe harbors exempting covered entities if the account information was