What card payment rules must a retailer operating in the United States follow?
MS: When a merchant uses, transmits, stores or outsources the credit card function, it is subject to a number of rules in the U.S., including the Payment Card Industry Data Security Standard (PCI DSS). These rules change every few years and the new PCI DSS version, v. 3.1, issued April, 2015, is increasingly robust and encompassing. There are fines, penalties and assessments issued by the card brands for PCI non-compliance, for example, in the event of data breach. The rules touch every entity in the credit card ecosystem, from card processors to websites to hosting services to back-end storage — any company that stores or moves credit card information must comply and a detailed allocation of responsibilities is now required. Retailers need to understand that these duties push down to everyone in their card chain, including third party vendors. A merchant is still ultimately responsible under PCI rules for its third party vendor activities, including any outsourced card functions.
How do hackers take advantage of weaknesses in a retailer’s technology?
MS: The hackers are smart and resourceful. They especially target systems with “low-hanging” fruit, including old code or that which is designed for functionality and speed, and not necessarily security. Recently some card breaches have also focused on third-party system vulnerabilities.
A new PCI DSS rule starting on July 1, 2015, which will become fully effective a year later, states that companies can no longer use Secure Sockets Layer (SSL), a security technology for establishing an encrypted link between a server and a client, to encrypt credit card data. SSL may no longer be used for any new card technology installations (with some limited exceptions), risk assessments are required, and companies must substitute a new system with more security. SSL has back-door vulnerabilities that hackers were able to exploit.
Are there specific U.S. laws concerning data collection and card payments during the point of sale?
MS: Yes. A number of U.S. state laws restrict collection of personal data in a credit card transaction at the point of sale (POS). These laws limit what personal data merchants can collect, such as ZIP codes and other personal identifiers, when running a credit card at POS in-store. There has been a boom in class action litigation in California and Massachusetts relating to this type of data collection, which merchants have followed closely. So far this litigation trend has been largely limited to these two states, and plaintiffs have been less successful in other states so far.
What can EU retailers learn from their American counterparts?
MS: Companies in the U.S. have experienced numerous card and other personal data breaches and now know how to deal with them. This experience in the U.S. extends to breach investigations, forensics, process management, remediation, notifications to government agencies and individuals, after-action follow-up, responses to regulatory enforcement actions and defense of class actions. The EU countries (and businesses there) so far do not yet have that level of practical or implementation experience because until recently data breaches, with some exceptions, did not have to be reported there.
Lessons learned from U.S. credit card data breaches are: secure your card data and frequently test it; compartmentalize and segregate your card data — don’t store it when you don’t need to; vet third party vendor’s capabilities and security carefully; and consider updating incident response plans and cyberrisk insurance.