Understand your Legal Rights and Responsibilities Related to PCI Compliance
Sept. 30, 2008
A Brief History
As with most aspects of the Internet, doing business via the Web has been a series of constant experiments and corrections. The use of electronic payments sparked a huge surge in the number and severity of identity theft cases across the world. Since the card issuers were the most visible agents for these activities, the burden to secure cardholder identities and other sensitive data was assigned to them.
The PCI Data Security Standards were designed to provide the most comprehensive single framework to address all the security, data integrity and privacy concerns associated with processing electronic payment data. The adoption of this single standard as a requirement of doing business with card issuers created a risk and liability for all the subsequent entities within the PCI spectrum (acquirers, third party processors providers, hosting service providers, brick and mortar merchants and e-commerce merchants).
This article will define four simple steps to identifying, documenting, managing and securing your clients’ data, regardless of where it sits within the PCI spectrum. By using both carrots and sticks, you can craft a contract and a relationship with those elements of business risk which comprise your cardholder data network.
But the card issuers are independent corporations, not governmental bodies. They cannot assess a “fine” or use an external enforcement body to monitor and enforce security. They can, and do, use contracts and other legal documents to create penalty enforcement. And as some irresponsible or negligent business groups have failed to protect cardholder data and client information, the card issuers have created severe consequences, up to and including the termination of the group’s ability to accept electronic payment.
As with most organizations, bad news (and other things) trickles down the food chain. The acquiring banks did not feel compelled to absorb the burden and high costs associated with processors, services and eventually the merchants who used their money and services. The cost of not only penalties, but also the corrective actions and notifications were passed by the acquirers to the entity associated with the breach, and therefore, the loss.
During the early years, millions of dollars were spent or went unrecovered within the payment markets. Customer confidence and loyalty was wasted. There had to be a more proactive mechanism for addressing the security and PCI compliance issue.
The greatest force for proactive management of the entire spectrum of the electronic payment process has been the development and required adherence to the single PCI standard. Unlike other standards, such as the ISO 27001 or a SAS 70 which addresses both more global and more finite concerns, the PCI standard hones in on the objectives of protecting specific types of data, and defines a specific mechanism for that protection.
Know Your Vendors – Know Who Handles Your Data
The most critical step in protecting the cardholder data is to be intimately familiar with all those who touch or manage that data. While you may only be contracted with one element of the food chain, you have an obligation to provide guidance and incentive for your data entity to manage those with whom it interacts.
The third party servicers and processors who touch, manage and store the vast majority of cardholder data have a direct connection to you. Managing them is your direct responsibility. But managing the total risk means your relationships with those third parties must include a requirement for them to assume responsibility to manage their clients and the generated risk.
Managing the Middle Man
The management of third party servicers and processors or any PCI entity with direct access to you is a matter of managing the numbers.
- Assess, Assess, Assess
PCI requires all third party servicers or hosts to be assessed by a qualified and approved assessor. All contractual relationships should be based on the results of the ROC (recommendation of certification). This assessment is your guide to the overall security health of your clients.
The fluidity of business transactions and relationships today requires a new approach to contractual relationships. While you need to maintain the core language as it relates to percentages and terms, the language of security and consequences should be reviewed more frequently. These contractual aspects should also be directly tied to external certification and maintenance, and should contain more frequent review periods (such as an annual or bi-annual review with termination clause) as it relates to data security and compliance.
Create an advising liaison group who are easily available and can provide simple answers to your third party organizations. Offer some levels of “risk free” consulting to these clients, reducing the fear of negative consequences. This transparency creates the ability to identify and mitigate risk more quickly and more effective.
- Manage outside your sphere
Use incentives and contracts to require your third party servicers to manage and understand their clients. Managing the food chain is more work in the short term, but it has a tremendous return when you can certify your entire related PCI spectrum.
Clear, open and constant communication of your security and management expectations for the third party servicer and all its clients ensures you the best chances of preventing breach or data compromise. And should the worst happen, it creates the necessary documentation you need in the event the breach or data compromise occurs.
Handling the Exceptions
The best offense is a good contract and legal strategy.
The implementation of assessment, contracts, liaison, management and communication creates some overhead within the acquiring organization, but the benefits are a significant reduction (up to 60% based on IT Compliance Institute studies) in breach and compromise within intertwined business networks. However, there will still be a time when you will need to exercise that contractual option for remediation of breach.
The development of strong contractual obligations, and the use of attorneys well versed in electronic commerce and Internet law, is the final component to protecting your organization when everything else fails. These obligations should contain both an incentive for companies to avoid potential breach, but also severe and swift penalties for failure. There are very few second chances to regain consumer trust, or to overcome the stigma of breach, no matter where it occurs within your sphere.