In 2013, a number of high-profile data breaches involving major retailers such as Target and Neiman Marcus placed an unwanted spotlight on the vulnerability and insecurity of debit and credit card point of sale (POS) systems. The legacy mag-stripe payment card system, on which so many consumers and merchants rely, is long overdue for improvements that would increase security and decrease vulnerability. Such updates may come in the form of new technologies and emerging payment systems that offer more efficient and secure transaction methods.
While a discussion of alternative or emerging payment systems is beyond the scope of this article, a comprehensive understanding of the current payment card processing system will prove useful, and timely, for the general counsel who wants to take ownership of compliance and risk in this area. To rely on IT alone fails to leverage the value and necessity of a partnership with in-house counsel that would ensure proper compliance, and ignores a significant and potentially expensive risk regarding the management and security of customer data.
Compliance with the Payment Card Industry Data Security Standard (PCI-DSS) requires the same scrutiny and vigilance as any other corporate or data governance matter and, coming off the heels of 2013, which PC World labeled “The Year of the Personal Data Breach,” consumer awareness and concern has reached a an all-time high.
The purpose of this article is to help in-house counsel understand the risk landscape inherent in legacy payment card processing systems and develop a strategy to mitigate such risks.
Who are the people in your payment card ecosystem?
In brief, payment card networks provide the "rails" that link together merchants who accept payments via credit and debit card to customers, third party payment processors, merchant acquirers and depository institutions. The American Express and Discover card networks are unique in that they connect merchants and consumers directly. In contrast, Visa and MasterCard follow a slightly different process; they maintain relationships directly with financial institutions that are also part of the payment card ecosystem.
Banks that provide customers with cards to use for purchases are referred to as “issuing banks,” while banks that partner with merchants to offer payment card services are called “acquiring banks.”
There are also entities that act as agents for merchants and acquiring banks for purposes of processing payments called “third party payment processors” (TPPPs). First Data, Global Payments, Fifth Third and BA Merchant Services are all examples of TPPPs.
Together these entities form the payment card ecosystem and each have varying degrees of exposure and risk regarding the compromise of cardholder information.
Who is responsible for the PCI-DSS?
In 2004, the major credit card companies established the PCI-DSS in order to assure that all parties were equally committed to the security of the payment card ecosystem and to bolster consumer confidence by requiring merchants and processors to adopt the same types of data protections required by law for financial institutions.
In September 2006, the five major card associations formed the Payment Card Industry Security Standards Council (PCI-SSC) for purposes of managing the PCI-DSS and providing a governing organization that would continuously refine the standard. Among other things, the PCI-SCC establishes the technical standards and audit procedures for the payment brands, provides lists of designated qualified security solution providers and establishes the criteria for certification of Qualified Security Assessors (QSA). QSAs are the only source of PCI-DSS compliance certification recognized by the PCI-SCC.
What is required of merchants under PCI-DSS?
There are 12 basic features to PCI-DSS, all of which contain detailed requirements for merchants to accept payment card transactions. Each member of the ecosystem is incentivized to ensure compliance at each end of the payment transaction. The requirements can be grouped into six broad directives:
- Build and maintain a secure network;
- Protect card holder data;
- Maintain a vulnerability management program;
- Implement strong access control measures;
- Regularly monitor and test networks; and
- Maintain an information security policy.
Additionally, compliance requirements are contemplate "merchant levels" that are determined each merchant’s transactional volume.
What is the GC’s role in PCI-DSS compliance?
- Communicate the risk and consequence of failure to comply with the appropriate PCI-DSS levels to the appropriate members of the corporate governance infrastructure. Compliance with PCI-DSS necessitates the hiring of internal and external experts, the constant attention to technological developments in payment system technologies and, above all, requires the appropriate level of capital investment to maintain compliant systems. The consequences of failure could mean the inability to accept payment by credit or debit card. A data breach involving cardholder data could expose the breaching party to significant fines as a result of the exposure created throughout the payment ecosystem to the other participants.
- Conduct a thorough review and evaluation of the organization’s PCI-DSS compliance at regular intervals to ensure that compliance processes and policies are current and accurate for the organization.
- Collaborate continuously with other members of the company’s payment card ecosystem to review existing threats and potential vulnerabilities that could impact the payment system. Understanding the risk landscape will enable general counsel to communicate and educate others in your organization about potential risks and will facilitate adequate preparation and defense.
- Frequently review PCI-DSS documentation and updates to ensure that the company’s compliance practices are current and regularly conduct assessments of third party compliance so that risks are quickly identified and mitigated. Be mindful of internal changes, such as a turnover in IT personnel, which can result in gaps in oversight.
- Carefully review agreements with acquiring banks and merchant service providers to understand the contractual requirements and obligations placed upon the company. The third party payment processing market is rapidly growing as the payments industry evolves in response to new technologies and changing consumer demands. General counsel can be essential in negotiating favorable terms and rates when they understand the fee structures in processing agreements.
As the rate of data breaches and cyber-attacks continues to rise, it remains imperative for general counsel to understand the risk landscape of payment card processing systems and to create a plan to mitigate such risks in the future.