Credit-Card Security Standard Opens Legal Can of Worms
Liability risks and uncertainties are emerging for online businesses and others as a unified security standard for the credit-card system takes effect and is absorbed into the law, members of an American Bar Association panel said Tuesday. The Payment Card Industry Data Security Standard “is not a law but in reality it is becoming a legal standard” via contracts and state legislation and as a standard of care in negligence lawsuits over data breaches, said David Nevetta, president of InfoSecCompliance and vice chair of the ABA’s Information Security Committee. The committee has set up a PCI working group to study legal risks and liability, he said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Crucial provisions of PCI are unclear, said participants in a webcast and teleconference. Authoritative readings are scarce, and security efforts by companies in the system may fall short because they cut corners or treat the standard as a ceiling instead of a floor, they said.
PCI was created in 2004 in response to lobbying by companies facing varying data-security requirements from American Express, Discover, JCB, MasterCard and Visa, said Arshad Noor, chief technology officer of security compliance company StrongAuth. The standard’s requirements of annual self-assessments or independent assessments, and quarterly network scans at Internet and brick-and-mortar merchants, have been phased in from September 2007 through this year, by company category as defined by credit-card transaction volume.
PCI imposes 12 requirements aimed at maintaining a secure network, a vulnerability-management program and an information-security policy, protecting cardholder data, imposing strong access control and monitoring and testing the network regularly, Noor said. The standard forbids an e- tailer from keeping much credit-card data on a customer - such as the security number -- beyond the account number and expiration date, said Alex Pezold, FishNet Security director of strategic solutions. He said a law firm holding enough credit-card information for a client to meet compliance thresholds can be subject to the requirements.
The PCI Security Standards Council can impose fines of up to $25,000 monthly and ultimately disqualify participating companies from processing card transactions, Pezold said. Even before the standard took full effect, fines totaled $3.4 million in 2006 and $4.2 million in 2007, he said.
Some PCI requirements are disturbingly vague, Noor said. A previous version of the standard specified use of a 256-bit Advanced Encryption Standard algorithm, but the current version calls only for “strong encryption,” he said. The standard doesn’t say which of dozens of ways to manage encryption keys must be used, Noor said. This task is much more difficult than encryption or decryption, and it’s too much to expect merchants and their service providers to sort this out, he said.
The standard has at least one big hole, Noor said. It applies to data over an “open and public network” such as the Internet but doesn’t address private networks, though they “are visible to those who have access” to them, he said. PCI allows use of “compensating controls” while a company is coming into compliance, but these involve only detection, not prevention, of unauthorized access to data, Noor said. And the provision’s vagueness opens a “question of fact” in any legal dispute, Nevetta said. That turns into a “battle of the experts,” which means that as the defendant “sometimes you lose,” he said.
And merchants are known to shop for assessment contractors willing to rubber-stamp security measures for certification, Noor said. Companies too often fail to seek good security in favor of passing the PCI test, Noor and Nevetta said, and this can land them in legal hot water.
Interpretations the standards council offers by e-mail don’t always help much, Nevetta said. But the responses sometimes refer senders to the card brands of others, and they aren’t issued publicly, he said. Individual players in the system often offer their own conflicting interpretations, said Nevetta. The murkiness contrasts with the clear hierarchy of private opinions on standards encountered in the accounting industry, he said.
PCI’s legal force starts as “a chain of contract obligations” between players in the credit-card processing system, Nevetta said. The standard requires merchants to make Web hosts, data-storage companies and other service providers comply with the standard, with merchants potentially responsible for providers’ IT breaches, Nevetta said. That’s a problem for merchants with long-term contracts, because they have no leverage to force providers to accept the obligation, he said.
Courts treat PCI as an industry standard in negligence cases, as seen in the giant TJX breach, Nevetta said. But companies thinking themselves clear of liability if they comply with the standard may have nasty surprises, he said. “It’s just a minimum set of security controls.”
Meanwhile, efforts to write parts of the standard into state law are spreading, Nevetta said. Minnesota’s Plastic Card Security Act of 2007 is the only one enacted, he said. But similar bills have been introduced in more than 10 other states, including California, Illinois, Michigan, New Jersey and Texas, Nevetta said.