While starting off as “just” an information security standard, the Payment Card Industry Data Security Standard, v. 1.1 (“PCI” or “PCI Standard”) now presents serious legal challenges and risk for retailers. The PCI framework currently operates like a law without courts or regulators. Moreover, in many cases PCI compliance is performed by security professionals with no attorney collaboration and little understanding of the legal risks involved.
Unlike security laws, the PCI Standard and Security Program rules are not statutes or regulations enforced directly by the government. Rather, the PCI rules are imposed and typically enforced contractually through the “PCI Contract Chain.” The contracts in the contract chain can include indemnification requirements, duties to pay fines and penalties, duties to adhere to payment card operating rules and other duties related to the use of payment cards.
The contractual foundation of PCI presents several legal issues:
No direct contractual relationship between merchants and payment card companies. The significance of the chain is that there is typically no direct contractual relationship between payment card companies and merchants. Therefore, generally speaking, merchants cannot be directly required to legally adhere to Security Programs or the PCI Standard by payment card companies. Rather, if any contractual obligations do exist they are passed through the contract that exists immediately upstream from the merchant (e.g., the contract between the merchant and merchant bank or payment processor). Nonetheless, in practical terms, payment card companies may be able force compliance by leveraging their relationships with merchants and access to payment card processing.
No direct duty for service providers to comply with PCI or security programs. There is typically no inherent duty for a merchant's service providers to comply with the PCI Standard. Any duty for a service provider to comply with the PCI Standard will flow contractually from the merchant to the service provider (typically not from the payment card companies to the service provider). Therefore, unless merchants impose contractual obligations on their service providers, they may find themselves without leverage to force those service providers to become PCI compliant. A merchant's compliance with PCI is directly contingent on contractual obligations imposed on its service providers. The PCI Standard requires merchants to do the following:
If cardholder data is shared with service providers, then contractually the following is required:
- Service providers must adhere to the PCI DSS requirements
- Agreement that includes an acknowledgment that the service provider is responsible for the security of cardholder data the provider possesses.
If these duties are not contractually established, then the merchant may not be able to establish its compliance with PCI.
Matching upstream and downstream obligations and risk. The scope of a merchant's PCI obligations (including compliance with the PCI Standard and Security Programs) is dictated by its upstream contracts with merchant banks or service providers. Merchants must protect themselves by imposing upstream PCI contractual obligations and risks downstream to their service providers. So if a merchant agrees to pay fines and penalties for failure to comply with PCI, it should also require its service providers to pay any fines and penalties imposed on the merchant because of the service provider's failure to comply. In addition, to the extent that a card brand's operating rules and regulations are incorporated into a contract, to fully understand the risks a merchant is accepting it must review those rules to the extent possible (VISA now at least provides some access to its operating regulations).
PCI: A law without a judge or jury
The overarching problem with PCI is that it is a security standard effectively becoming a law. Unfortunately, the PCI Standard was not necessarily drafted like law; nor is it interpreted like a law. Rather it is interpreted by non-lawyer security professionals solely as a security standard – either qualified security assessors (QSAs) or a merchant's internal security team (in cases where a self-assessment is appropriate). There often may be no awareness as how security interpretations will be viewed by a court of law, and little to no lawyer involvement. In addition, existence of ambiguities in the PCI Standard (as drafted and as applied) and the methods that PCI stakeholders use to attempt to resolve those ambiguities can result in legal risk.
Action items for merchants
As the PCI Standard increasingly becomes the law, merchants must adjust their practices and develop a more legally-oriented approach to PCI compliance, including consideration of the following actions:
Choose QSAs wisely. Right now QSAs are the interpretative bodies of PCI. If a merchant uses a “fly-by-night” QSA it may be opening itself to risk. Merchants should use QSAs that are not afraid to give the merchant “bad news” and that understand how their interpretations may be viewed in a court of law.
Insurance. Make sure that your QSAs are fully insured for their errors and omissions, and try to get named as an additional insured on their policies if possible. In addition, the merchant should check its own policies to determine whether it is covered if one of its service providers suffers a breach or if the merchant is required to pay a fine or penalty for non-compliance with PCI.
No Rubber Stamp or Check Box Mentality. Despite potential pressures to become PCI compliant quickly and at the least cost, merchants should not view their internal security personnel or QSAs as “rubber stamps” of PCI compliance. QSAs, like all professional service providers, usually will work hard to please their clients. However, if this causes them to take shortcuts or apply loose interpretations, it could come back to haunt the merchant in the long run. Moreover allowing internal security professionals to treat the self-assessment questionnaire as a “check box” exercise may increase legal risk and should be avoided.
Develop Relationships with General Counsel. The merchant's security team must engage the general counsel (or other members of the merchant's legal team). Many attorneys are intimidated by technology and security issues and may not be aware of the legal issues surrounding PCI compliance. Internal security professionals need to act as the expert advisors to the merchant's legal team and work together to translate security practices into legally compliant practices.
Narrow Interpretations. To reduce risk of liability, security professionals should err on the side of interpreting the PCI Standard literally and narrowly. Of course, this may conflict with other goals such as keeping expenses down and avoiding business disruptions. The security team should work with the merchant's business decision-makers and risk managers to achieve a balance that reflects the organization's risk tolerance.
As the legal ramifications of PCI continue to develop and increase, PCI compliance will become an increasingly risky endeavor for merchants. Unfortunately, because the system is run privately by the payment card companies and does not have a centralized body to provide binding guidance and rulings, the system may pose more risk than a traditional governmental regulatory scheme. Regardless, now is the time for merchants to begin engaging their legal teams to address PCI compliance, and opening the lines of communication between the lawyers and security pros. It is also the time to approach and engage the PCI Council, and other PCI stakeholders to develop a centralized body to provide publicly available and binding guidance and decisions resolving ambiguities within PCI. If these actions are not taken, the PCI Standard could present significant liability challenges for the retail community.
David Navetta is a lawyer with InfoSecCompliance, LLC.