Payment Card Industry Data Security Standards

Transcription

1 Payment Card Industry Data Security Standards January 19, 2011 Marc S. Reisler, Holland & Knight Copyright 2011 Holland & Knight LLP All Rights Reserved

2 Data Breaches Remain a Serious Concern

3 PCI Standards Generally The Payment Card Industry Data Security Standards (or PCI standards or PCI DSS ) are industry standards promulgated by the major credit card brands that are a baseline of important security controls to safeguard sensitive cardholder data. The PCI DSS apply to all entities that store, process, and/or transmit cardholder data: If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS. The PCI Security Standards Council writes and updates the PCI DSS, but each card brand establishes its own program for compliance, validation levels and enforcement. 3

4 PCI Standards Generally The PCI DSS are not law. Rather, they are industry standards promulgated under contract by a council of the major credit card payment brands to regulate their member acquiring banks, who in turn are responsible for ensuring that merchants and businesses, for whom they process transactions, conform to the standards. But see S.B.227 (Nev. 2009), amending Nev. Rev. Stat. 603A. The Nevada law, among other things, mandates Nevada businesses to comply with the PCI Standards in any transaction involving a payment card for goods or services. 4

5 PCI Standards Generally The PCI standards are a comprehensive set of 12 data security requirements imposed on all entities that process, store or transmit certain sensitive cardholder data, comprising merchants, banks and credit card transaction processors. 5 Source: PCI Security Standards Council, LLC

6 Credit Card Transactions Generally speaking, every time a cardholder uses a credit card to pay a merchant for goods or services, the issuing bank, acquiring bank and merchant must interact to process and complete the transaction. Simply put, an acquiring bank is a bank that processes credit card transactions on behalf of merchants, as opposed to an issuing bank, which issues credit cards to consumers. After the merchant s computer scanners read the cardholder information contained in the magnetic strip, the merchant then sends the pertinent account information through the network to the issuing bank. The issuing bank reviews the cardholder information and, assuming the card is valid with sufficient available credit, it authorizes the transaction. Upon receiving notification, the merchant completes the transaction with the cardholder, and then forwards the receipt to the acquiring bank who pays the merchant. The acquiring bank then notifies the issuing bank that payment has been received, and the issuing bank pays the acquiring bank and charges the cardholder. 6

7 Credit Card Transactions - Risks As the cardholder information is transmitted to and from the merchant over the Internet or wireless network, there are security risks. Cyber-thieves could potentially intercept the transmission and steal sensitive card information, which is why the PCI standards require encryption for card information transmitted over public networks. Sensitive information might include full magnetic-stripe data, CAV2/CVC2 (or other validation codes), or PINs and PIN blocks (a block of data used to encapsulate a PIN during processing), all of which are used to authenticate cardholders and authorize card transactions. In addition, criminals could also use malware to infiltrate the merchant s own computer systems and steal consumer information; hence, the PCI standards mandate numerous security precautions to protect against network intrusions, including firewalls, log monitoring, access controls, and periodic vulnerability scans to ensure the merchant s system has not been compromised. 7

8 PCI Compliance Verification of PCI compliance can be performed by a Qualified Security Assessor, who will perform an on-site inspection and determine whether an entity is compliant and advise on how to maintain compliance. An Approved Scan Vendor performs quarterly vulnerability scans of a merchant s or service provider s Internet-facing environments to ensure compliance with the PCI Standards external vulnerability scanning requirement. In certain circumstances, smaller merchants that are not required to undergo on-site assessments may complete a self-assessment questionnaire. Regardless, all merchants must meet certain security reporting requirements. Compliance assessments and testing depend on an entity s merchant level, which is principally based upon the number of credit card transactions processed per year. In general, the more transactions, the greater the security requirements and the greater the cost of compliance. 8

9 Merchant Levels For example, Mastercard's security program, with the PCI DSS as its foundation, details the data security requirements and compliance validation requirements to protect stored and transmitted MasterCard payment account data. 9 Source:

10 Why Comply? Failure to comply with the PCI Standards can result in fines, additional audit requirements or the suspension of the ability to process credit card transactions with particular payment card brands. Generally speaking, the payment card brands may fine an acquiring bank for PCI violations, with such fines likely passed down to noncomplying service providers and merchants. In some cases, an acquiring bank might suspend its relationship with a merchant or increase credit card transaction fees. Such remedies and penalties are outlined in a merchant s account agreement. 10

11 Why Comply? In 2009, for example, the average data breach cost $6.75 million, about $204 per compromised customer record. Any data breach could result in grave reputational damage and cost exposure: Investigatory and response costs Data breach notification costs (requirements vary under state law) Court awards; settlements with consumers and payment card brands; legal and expert fees Regulatory costs and settlements with the FTC and state attorneys general Future compliance and remedial costs Business costs, including damage to brand and consumer goodwill 11

12 Why Comply? Recent Example In Jan. 2009, Heartland Payment Systems, a large payment processor, suffered a breach that compromised 130 million cards. The breach was caused by malware that infected its networks and collected in-transit, unencrypted payment card data during the transaction authorization process. After insurance reimbursement, Heartland s breach cost over $114.7 million, principally for settlements. Approximately $30.3 million of the total charges were for legal fees and costs incurred for investigations, defense of claims, remedial actions and crisis management services. 12

13 Is Compliance Enough? Following several newsworthy data breaches, it was reported that the affected companies had been certified PCI compliant. Some commentators have cautioned that while the PCI standards are excellent security baselines, they do not necessarily mean a network is 100% secure. Security should be a multi-layered, ongoing concern. Such concerns have drawn attention to security technologies that exceed those required under the PCI Standards (e.g., end-to-end encryption). 13

14 Merchant Liability Legislation Merchant liability legislation seeks to codify certain portions of the PCI standards and allow financial institutions to recover certain costs stemming from a merchant s data breach, particularly issuing banks, which have faced obstacles in recovering their costs in reissuing credit cards following a breach. Minnesota: Minn. Stat. 325E.64 (Supp. 2007): The law essentially codifies fundamental PCI standards regarding the protection of credit card authorization data into law for merchants conducting business in Minnesota that handle sensitive consumer data. Financial institutions have the right to recover breachrelated costs from merchants who retain certain credit and debit card transaction data beyond certain time frames. Washington: H.B This merchant liability law applies to covered entities that process at least 6 million yearly payment card transactions and contains safe harbors exempting covered entities if the account information was encrypted at the time of the breach or the covered entity was certified PCI compliant at the time of the breach. 14