Any business participating in the payment card system needs to understand the Payment Card Industry Data Security Standard (PCI Standard) and manage risks accordingly. The PCI Standard is intended to apply to all organizations that store, process or transmit cardholder data in the course of carrying out credit card transactions. It is maintained by the PCI Security Standards Council, which is a membership based organization led by the credit card brands. Given the breadth of its application, the PCI Standard has become one of the more influential security standards for the regulation of data protection. It is vital that franchisors and franchisees keep up to date with modifications and ensure that personnel at the appropriate levels are directed to remain compliant with the most current versions of the PCI Standard.
Application of PCI Standard
There is a common misconception that because the PCI Standard is referred to as a “standard,” that it is a legislated regulatory requirement or otherwise stands apart from contract. Although in a few jurisdictions similar requirements have been adopted in statute, in Canada this is not the case. The PCI Standard is implemented through the agreements that govern credit card systems: merchant agreements between merchants and financial institutions or transaction processors that receive transactions (in the payment system known as “acquirers”), and the agreements that acquirers have with the credit card companies (e.g. Visa Inc. and Mastercard International Incorporated).
Merchant agreements typically contain strong protections for the acquirers and card companies and substantial obligations and liability for the merchant. Merchant agreements entered into recently, specifically set out an obligation to keep current with the PCI Standard, and generally indicate that the merchant will be liable for any fines, penalties or liabilities arising from a failure to comply. Acquirers and card companies are usually granted rights to audit the merchant and its systems to ensure that the PCI Standard is being followed. Merchant agreements generally do not contain any limitation of liability.
Under the PCI Standard, organizations that store, process or transmit cardholder data must meet the following twelve broad requirements:
- install and maintain a firewall configuration to protect cardholder data;
- avoid using vendor-supplied defaults for system passwords and other security settings;
- adopt measures to protect cardholder data;
- use encryption of cardholder data across open networks;
- use and update anti-virus software or services;
- develop and maintain secure systems and applications;
- restrict access to card-holder data by business need-to-know;
- assign a unique ID to each person with computer access;
- restrict physical access to cardholder data;
- track and monitor access;
- regularly test security systems and processes; and
- maintain information security policies for employees and subcontractors.
More detailed descriptions of required measures are included under each topic.
As already mentioned, those merchants who fail to comply with the PCI Standard, face fines. In addition, in the past few years both the potential liability and the appetite to make claims for compensation for liability arising out of data breaches has widened considerably. Massive thefts of card holder data from The TJX Companies, Inc. (disclosed January, 2007), Heartland Payment Systems, Inc. (disclosed November, 2008) and many others, have resulted in a number of significant law suits and complaints to privacy authorities in the United States and Canada. Card issuers have sought damages for the costs associated with reissuing cards to consumers whose card data has been compromised. In addition, a number of class actions have been filed to directly address damages incurred by individuals whose identities have been stolen as a result of the breach.
The broad application of the PCI Standard suggests that it may also become the basis of a standard of care for system security, particularly for systems that deal with consumer and financial data. Following the PCI Standard will not be a certain defence to negligence claims, but compliance establishes a strong presumption of diligent conduct. Conversely, a failure to comply offers a clear and compelling argument that the business has not maintained its data in accordance with a well recognized standard of care, opening the company to not only claims in contract but also in tort for negligence.
It is important to bear in mind that in Canada data breaches involving consumer data will likely result in complaints and investigations by the Privacy Commissioner of Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation. Once again, while not entirely determinative, compliance with the PCI Standard can be an important factor in how well the business bears the scrutiny and weathers the public relations storm associated with a major breach of privacy. This factor is particularly important for franchisors concerned with defence of the reputation of valuable brands.
What to do
The following measures, allocated appropriately among franchisor and its franchisees, should be in place to promote compliance with the PCI Standard:
- Ensure that any contracts mandating compliance (usually merchant agreements) with the PCI Standard, are identified and the liability terms clearly understood.
- Designate personnel with responsibility for reviewing, complying with and monitoring changes in the PCI Standard.
- Establish appropriate internal reporting with respect to compliance with the PCI Standard. This reporting should be to the executive level in the company.
- Undertake self assessments of practices and systems to ensure compliance, and, when necessary, engage outside resources trained in PCI Standard compliance to review systems. Where there are material noncompliance issues, put in place a plan to promptly address the issues.
- Larger organizations in particular should prepare for audits from card brands with respect to PCI compliance by ensuring information demonstrating compliance with each requirement is documented and readily available.
Review contracts with service providers to ensure not only that there is an obligation to comply with static security requirements or a general standard of “good industry practices, but also an obligation to comply with the applicable portions of the PCI Standard and its evolution over time.