Any business participating in the payment card system needs to understand the Payment Card Industry Data Security Standard (PCI Standard) to manage risks accordingly. The PCI Standard is intended to apply to all organizations that store, process or transmit cardholder data in the course of carrying out credit card transactions. It is maintained by the PCI Security Standards Council, which is a membership-based organization led by the credit card brands. Given the breadth of its application, the PCI Standard has become one of the more influential security standards for the regulation of data protection. It is vital that any business subject to the PCI Standard keep up-to-date with modifications to that standard and ensure that its personnel are directed to remain compliant with the most current versions of the PCI Standard.
Application of PCI Standard
The PCI Standard is not a legislative requirement. Rather, it is implemented through agreements that govern credit card systems (i.e., agreements between merchants and financial institutions or transaction processors that receive transactions (“acquirers”) and between acquirers and credit card companies).
Merchant agreements are typically characterized by strong protections for the acquirers and credit card companies, and substantial obligations and liability for the merchant. Merchant agreements entered into recently specifically set out an obligation to keep current with the PCI Standard, and generally indicate that the merchant will be liable for any fines, penalties or liabilities arising from a failure to comply. Acquirers and credit card companies are usually granted rights to audit the merchant and its systems to ensure that the PCI Standard is being followed. Merchant agreements generally do not contain any limitation of liability.
Compliance with the PCI Standard
Under the PCI Standard, organizations that store, process or transmit cardholder data must meet the following 12 broad requirements:
- install and maintain a firewall configuration to protect cardholder data;
- avoid using vendor-supplied defaults for system passwords and other security settings;
- adopt measures to protect cardholder data;
- use encryption of cardholder data across open networks;
- use and update anti-virus software or services;
- develop and maintain secure systems and applications;
- restrict access to cardholder data by business need-to-know;
- assign a unique ID to each person with computer access;
- restrict physical access to cardholder data;
- track and monitor access;
- regularly test security systems and processes; and
- maintain information security policies for employees and subcontractors.
The following measures should also be undertaken by organizations which may be subject to the PCI Standard:
- Ensure that any contracts mandating compliance (usually merchant agreements) with the PCI Standard are identified and the liability terms clearly understood;
- Designate personnel with responsibility for reviewing, complying with and monitoring changes in the PCI Standard;
- Establish appropriate internal reporting for compliance with the PCI Standard. This reporting should be to the executive level in the company;
- Undertake self assessments of practices and systems to ensure compliance and, when necessary, engage outside resources trained in PCI Standard compliance to review systems. Where there are material non-compliance issues, put in place a plan to promptly address the issues; and
- Review contracts with service providers to ensure not only that there is an obligation to comply with static security requirements or a general standard of “good industry practices, but also an obligation to comply with the applicable portions of the PCI Standard and its evolution over time.
Consequences of Non-Compliance
PCI Standard compliance should be a matter of heightened concern as a result of recent developments related to more general liability for data breaches in the payments system. In the past few years, both the potential liability and the appetite to make claims for compensation for liability arising out of data breaches have widened considerably. Massive thefts of cardholder data from The TJX Companies, Inc. (disclosed in January, 2007), Heartland Payment Systems Inc. (disclosed in November, 2008) and others have resulted in a number of significant lawsuits and complaints to privacy authorities in the United States and Canada. Card issuers have sought damages for the costs associated with re-issuing cards to consumers whose card data had been compromised. In addition, a number of class actions have been filed to directly address damages incurred by individuals whose identities had been stolen as a result of a breach.
The broad application of the PCI Standard suggests that it may also become the basis of a standard of care for system security, particularly for systems that deal with consumer and financial data. Following the PCI Standard will likely not be a complete defence to negligence claims, but compliance does establish a strong presumption of diligent conduct. Conversely, a failure to comply offers a clear and compelling argument that the business has not maintained its data in accordance with a well recognized standard of care, opening the company to not only claims in contract but also in tort for negligence.
It is important to bear in mind that in Canada, data breaches involving consumer data will likely result in complaints and investigations by the Privacy Commissioner of Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation. Once again, while not entirely determinative, compliance with the PCI Standard can be an important factor in how well the business bears the scrutiny and weathers the public relations storm associated with a major breach of privacy. Merchants who fail to comply with the PCI Standard may be penalized with fines.