by Theodore F. Claypoole

U.S. retailers and banks are adjusting to a new era of information security requirements, as credit card companies enforce Payment Card Industry security standards with fines and audits. A company can also be fined for failing to meet these new standards, even if it has not experienced a breach in security. Any company that accepts customer payments using Visa, MasterCard, Discover or American Express credit or debit cards must contractually comply with the PCI security standards. Although the requirements do not have the force of government behind them, retailers failing to comply could lose the right to participate in the card processing system. Visa’s program includes a fine of up to $500,000 per incident if a merchant or service provider has compromised data and is not PCI-compliant at the time of the breach.

The payment card companies clarified their rules in September 2006 as well as made the language more compulsory and enforceable. Already in 2007, the companies have issued significant fines for violating the rules. The PCI standards call for following 12 security requirements that are generally recognized as a basic data protection regime, including building and maintaining a secure network, protecting cardholder data through encryption, managing vulnerabilities (like regularly updating anti-virus programs), implementing access control procedures, monitoring and testing networks, and following an information security policy. The PCI rules also require that many retailers have outside audits.

Both Visa and MasterCard offer safe harbor status to retailers that can establish PCI compliance and demonstrate that their data protection strategies and actions have been validated by their bank. This safe harbor qualification could possibly save the merchant from large fines if data is compromised, but the merchant must establish that it was complying at the time of the incident.

The PCI rules are not the only reason that retailers should start paying more attention to data security. Within the past 18 months, the Federal Trade Commission has focused on retail security breaches and has declared the practices of some companies as unfair to customers and therefore a violation of federal law.

To learn more about the rules and moving toward compliance, merchants can obtain documents from the PCI Security Standards Counsel, such as a self-assessment questionnaire, a detailed description of security audit procedures and a list of qualified security assessors. In addition, their website (www.pcisecuritystandards.org) is instructive for any retailer interested in data security.

Ted Claypoole is a Charlotte Member of Womble Carlyle Sandridge and Rice in the technology transaction group. He has long concentrated on the business and legal implications of information security and computer crime, first as in-house corporate counsel for CompuServe, Inc. and as assistant general counsel for Bank of America. He now advises business clients and information security companies on contracting for data protection, allocating risk in digital certificate infrastructures and reacting to electronic threats. He has served on a U.S. Justice Department computer crimes task force and the Information Protection Committee for the Banking Industry Technology Secretariat.

 

MAXAMINE