Payment Card Industry Data Security Standards and the Law
PCI DSS continues to create questions for our merchants.
Who created the standards? Are they law ? (very nice but do we have to?) who's enforcing all this stuff? and so on.
The standards are developed by a security council comprised of the major card brands and most everything you need to know can be found on their site - PCI Security Standards Council. You can find merchant requirements by size right here on our PCI DSS blog.
Enforcement and the law are other issues.
Currently PCI DSS is "enforced" by the card brands and put in place by payment processors. The processor works with each merchant and merchant account to ensure standards are met and the merchant is charged for the cost of compliance. Merchants found to be out of compliance, who experience a data breach, can be fined by Visa or MasterCard and risk losing credit card processing privileges (think livelihood folks).
Two issues stand out when it comes to the law, merchants and securing the confidential data of consumers using credit cards to purchase goods and services - notification of data breaches and PCI DSS compliance.
Data Breach Notification. If a breach is detected by a merchant...do they have to tell and WHO do they have to tell? Currently and amazingly, there is no federal law legislating actions regarding a data breach though they are in the works. S.139 - the Data Breach Notification Act is still alive but hasn't gone any further since November of 2009, H.R.2221 Data Accountability and Trust Act - last point of action- was passed in the House in Dec. 2009. These things take time.
Your state may be another story. Since 2002 and California's SB1386, many states have enacted notification laws requiring companys to notify consumers if their data has been lost or "compromised". Typically the laws address what must be reported to the consumer - type of data compromised, who must report the breach, how consumers will be notified (electronically, in writing, etc.) and how quickly.
To see if your state has a law regarding security breaches check this list from the National Conference of State Legislatures - almost all do.
While each law is different, in addition to notification - legislature seems to be moving towards merchant liability in security breaches (maybe data security ISN'T such a bad idea!). In other words, states are also enacting PCI DSS compliance law.
The state of Minnesota is the first to make merchants (2007) not compliant with PCI DSS liable for associated financial institution costs in instances of security breaches (i.e. reissuing cards, customer refunds for unauthorized charges, closing and reopening accounts, etc.). Could be costly.
In 2009 Nevada updated its encryption law to mandate all businesses in the state that accept credit and debit cards be PCI DSS compliant - pretty strong statement. In March of 2010, Washington enacted merchant liability laws relevant to PCI DSS compliance similar to that of Minnesota. Businesses with a breach, found to be out of compliance, will be held financially responsible for costs associated from the incident. Merchants take note - these laws apply to out of state businesses transacting business in the state.
It's worth noting here I guess that some of these new laws are relevant only to merchants handling a large number of transactions or level I merchants. We suspect however, that not only will other states follow suit but to some degree, eventually - all levels of merchants will be held liable for compliance.
Moral of the story? PCI DSS is not going away. Expect standards to get tougher if anything and while the federal government is lagging - states are taking steps to protect consumer card data. If you're a credit card processing merchant - you should be too.