Paper on Payment Standards

Anonymous
timer Asked: Apr 8th, 2018
account_balance_wallet $20

Question description

You are requested to write a paper on PCI DSS to discuss the following:

- What is PCI DSS

- Importance of PCI DSS, hence, charts and graphs of growth and transactions.

- Security risk for non compliance

- Challenges of PCI DSS

Included some references to help in the subject, please feel free to add extra but related contest to the above.

The project deliverable has to meet the template standard in the attached file called (Project Template) with total pages not to exceed 7 inclusive of reference. in addition to ppt presentation that summerizes the content with headlines, charts and graphs.

Type the title of your article, only capitalize first word and proper nouns First-name Surname1*, Second-name Surname2 and Third-name Surname3 Affiliation 1, Email address, University, City, Country Affiliation 1, Email address, University, City, Country 3 Affiliation 1, Email address, University, City, Country 1 2 *Corresponding Author ABSTRACT An Abstract is required for every article; it should succinctly summarize the reason for the work, the main findings, and the conclusions of the study. The abstract should be no longer than 250 words. Do not include artwork, tables, elaborate equations or references to other parts of the article or to the reference listing at the end. The reason is that the Abstract should be understandable in itself to be suitable for storage in textual information retrieval systems. Keywords: Keyword_1; Keyword_2; Keyword_3; Keyword_4; Keyword_5 1. Introduction We believe a template should help you, not hinder you, in authoring your article. It should follow you in how you want to write your article, not force you to fill in bits and pieces of text. It should allow you to type any text, copy from previous versions, or load an already existing plain text to be formatted. You will therefore find no fill-in screens; you will not need to remember shortcut keys, to use lists of styles, bother about alignment, indents, fonts and point sizes. Just a mouse-click at one of the menu options will give you the style that you want. The objective of this template is to enable you in an easy way to style your article attractively. It should be emphasized, however, that the final appearance of your article in print and in electronic media will very likely vary to greater or lesser extent from the presentation achieved in this Word® document. 2.1. Article Size The Manuscript should be prepared in English language by using MS Word. Article can be up to 7 pages inclusive references and abstract. Supply some 3–5 keywords, separated with semicolons, e.g., Azomethine ylide; Claisen rearrangement; Diels-Alder cycloaddition; Enantioselective catalysis; Ionic liquid; Metathesis; Microwave-assisted synthesis. 3. The main text You will usually want to divide your article into (numbered) sections. Headings should reflect the relative importance of the sections. Your article can go beyond 4th order heading. Ensure that all tables, figures and schemes are cited in the text in numerical order. Trade names should have an initial capital letter, and trademark protection should be acknowledged in the standard fashion, using the superscripted characters for trademarks and registered trademarks respectively. All measurements and data should be given in SI (System International) units where possible, or other internationally accepted units. Abbreviations should be used consistently throughout the text, and all nonstandard abbreviations should be defined on first usage. The experimental information should be as concise as possible, while containing all the information necessary to guarantee reproducibility. 2. The first page Naturally, your article should start with a concise and informative title. Do not use abbreviations in title. Next, list all authors with their first names or initials and surnames (in that order). Indicate the author for correspondence. After having listed all authors’ names, you should list their respective affiliations. Link authors and affiliations using superscript lower-case letters from the ‘Author Footnote Symbols’ menu in the toolbar. 1 Figure 1. (a) Fairness index, (b) Average Fairness Index Table 1. Table, version 1 Parameter Slot time ACK size RTS size CTS size Data packet size DIFS interval SIFS interval CWmin CWmax Bandwidth Transport protocol Value 20 μs 20 bytes 25 bytes 20 bytes 1000 bytes 40 μs 10 μs 31 1023 2 Mbps UDP Parameter Slot time ACK size RTS size CTS size Data packet size DIFS interval SIFS interval CWmin CWmax Bandwidth Transport protocol Value 20 μs 20 bytes 25 bytes 20 bytes 1000 bytes 40 μs 10 μs 31 1023 2 Mbps UDP 3.1. Tables, figures and schemes All citations of figure and tables in text must be in numerical order. Citations to figures in text always carry the word “Figure.”, “Table.” followed by the figure/table number. You can choose to display figure/table through one column (see Table 1, Figure 1) or across the page (see Table 2, Figure 2). Remember that we will always also need high-resolution versions of your figures for printing in (i.e. TIFF) format. Table 2. Table, version 2 Parameter Slot time ACK size RTS size CTS size Data packet size DIFS interval Bandwidth Transport protocol Figure 2. Overload on GV and IV vehicles Value 20 μs 20 bytes 25 bytes 20 bytes 1000 bytes 40 μs 2 Mbps UDP 3.2. Lists For tabular summations that do not deserve to be presented as a table, lists are often used. Lists may be either numbered or bulleted. Below you see examples of both. 1. The first entry in the list 2. The second entry 3. A subentry 4. The last entry • • 2 A bulleted list item Another one [4] You can use the Bullets and Numbering options in the ‘Formatting’ toolbar of Word® to create lists. Note that you should first block the whole list. A sublisting is coded using the ‘Increase Indent’ (go to a sublevel of numbering) and ‘Decrease Indent’ (go to a higher level of numbering) buttons. Basic format for journals: [5] J. K. Author, “Name of article,” Abbrev. Title of Periodical, vol. x, no. x, pp. xxx-xxx, Abbrev. Month, year. Examples: [6] J. U. Duncombe, “Infrared navigation—Part I: An assessment of feasibility,” IEEE Trans. Electron Devices, vol. ED-11, no. 1, pp. 34–39, Jan. 1959. [7] E. P. Wigner, “Theory of traveling-wave optical laser,” Phys. Rev., vol. 134, pp. A635–A646, Dec. 1965. [8] E. H. Miller, “A note on reflector arrays,” IEEE Trans. Antennas Propagat., to be published. 3.3. Equations Equations within an article are numbered consecutively from the beginning of the article to the end. All variables are italic. (e.g., x, y, n). Function names and abbreviations are Roman (sin, cos, sinc, sinh), as are units or unit abbreviations (e.g., deg, Hz,) complete words (e.g., in, out), and abbreviations of words (e.g., max, min), or acronyms (e.g., SNR). You can type your equations and use the symbols in the Word® equation editor or in MathType™. Using the ‘Insert Equation’ option, you can create equations in the Word® equation editor, or if the MathType™ equation editor is installed on your computer.     (empir,1.388Å) (theor,1.388Å)    (theor) cos  W.-K. Chen, Linear Networks and Systems. Belmont, CA: Wadsworth, 1993, pp. 123–135. Basic format for reports: [9] J. K. Author, “Title of report,” Abbrev. Name of Co., City of Co., Abbrev. State, Rep. xxx, year. Examples: [10] E. E. Reber, R. L. Michell, and C. J. Carter, “Oxygen absorption in the earth’s atmosphere,” Aerospace Corp., Los Angeles, CA, Tech. Rep. TR-0200 (4230-46)-3, Nov. 1988. [11] J. H. Davis and J. R. Cogdell, “Calibration program for the 16-foot antenna,” Elect. Eng. Res. Lab., Univ. Texas, Austin, Tech. Memo. NGL-006-69-3, Nov. 15, 1987. Basic format for handbooks: [12] Name of Manual/Handbook, x ed., Abbrev. Name of Co., City of Co., Abbrev. State, year, pp. xxx-xxx. Examples: [13] Transmission Systems for Communications, 3rd ed., Western Electric Co., Winston-Salem, NC, 1985, pp. 44–60. [14] Motorola Semiconductor Data Manual, Motorola Semiconductor Products Inc., Phoenix, AZ, 1989. (1) Acknowledgments Acknowledgments should be inserted at the end of the article, before the references. When citing names within the Acknowledgment, do not use Mr., Mrs., Ms., or Miss. List first initial and last name only. Use the Dr. or Prof. title with each name separately; do not use plural Drs. or Profs. with lists of names. Basic format for books (when available online): [15] Author. (year, month day). Title. (edition) [Type of medium]. volume (issue). Available: site/path/file Example: [16] J. Jones. (1991, May 10). Networks. (2nd ed.) [Online]. Available: http://www.atm.com References Basic format for journals (when available online): [17] Author. (year, month). Title. Journal. [Type of medium]. volume (issue), pages. Available: site/path/file Example: [18] R. J. Vidmar. (1992, Aug.). On the use of atmospheric plasmas as electromagnetic reflectors. IEEE Trans. Plasma Sci. [Online]. 21(3), pp. 876–880. Available: http://www.halcyon.com/pub/journals/21ps03-vidmar The journal uses the IEEE Template for references formatting. References in the text should be indicated by Arabic numerals that run consecutively through the article and appear inside punctuation. Authors should ensure that all references are cited in the text and vice versa. Authors are expected to check the original source reference for accuracy. See examples shown in the References section. In text, refer simply to the reference number. Do not use “Ref.”, “reference” or “Reference [3] shows ....” use as demonstrated in [3], according to [4] and [69]. Please do not use automatic endnotes in Word, rather, type the reference list at the end of the article using the “References” style. The authors encourage using the “EndNote” software to format and insert the references into the article (http://endnote.com/). IEEE EndNote template can be downloaded from (http://endnote.com/downloads/template/ieee). Below is the references formatting: Basic format for articles presented at conferences (when available online): [19] Author. (year, month). Title. Presented at Conference title. [Type of Medium]. Available: site/path/file Example: [20] PROCESS Corp., MA. Intranets: Internet technologies deployed behind the firewall for corporate productivity. Presented at INET96 Annual Meeting. [Online]. Available: http://home.process.com/Intranets/wp2.htp Basic format for reports and handbooks (when available online): [21] Author. (year, month). Title. Comp an y . C ity, State or Country. [Type of Medium].Available: site/path/file Example: [22] S . L . T a l l e e n . ( 1 9 9 6 , A p r . ) . T h e I n t r a n e t A r c h i te c tu r e : M a n a g i n g i n f o r m a t i o n i n t h e n e w paradigm. Amdahl Corp., CA. [Online]. Available: http://www.amdahl.com/doc/products/bsg/intra/infra/html Basic format for computer programs and electronic documents (when available online). Example: [23] A. Harriman. (1993, June). Compendium of genealogical software. Humanist. [Online]. Available e-mail: HUMANIST@NYVM.ORG Message: get GENEALOGY REPORT Basic format for books: [1] J. K. Author, “Title of chapter in the book,” in Title of His Published Book, xth ed. City of Publisher, Country if not [2] USA: Abbrev. of Publisher, year, ch. x, sec. x, pp. xxx–xxx. Examples: [3] G. O. Young, “Synthetic structure of industrial plastics,” in Plastics, 2nd ed., vol. 3, J. Peters, Ed. New York: McGraw-Hill, 1964, pp. 15–64. Basic format for patents (when available online): 3 [24] Name of the invention, by inventor’s name. (year, month day). Patent Number [Type of medium]. Available: site/path/file Example: [25] Musical toothbrush with adjustable neck and mirror, by L.M.R. Brooks. (1992, May 19). Patent D 326 189 [Online]. Available: NEXIS Library: LEXPAT File: DESIGN Basic format for conference proceedings (published): [26] J. K. Author, “Title of article,” in Abbreviated Name of Conf., City of Conf., Abbrev. State (if given), year, pp. xxxxxx. Example: [27] D. B. Payne and J. R. Stern, “Wavelength-switched pas- sively coupled single-mode optical network,” in Proc. IOOC-ECOC, 1985, pp. 585–590. Example for articles presented at conferences (unpublished): [28] D. Ebehard and E. Voges, “Digital single sideband detection for interferometric sensors,” presented at the 2nd Int. Conf. Optical Fiber Sensors, Stuttgart, Germany, Jan. 2-5, 1984. Basic format for patents: [29] J. K. Author, “Title of patent,” U.S. Patent x xxx xxx, Abbrev. Month, day, year. Example: [30] G. Brandli and M. Dick, “Alternating current fed power supply,” U.S. Patent 4 084 217, Nov. 4, 1978. Basic format for theses (M.S.) and dissertations (Ph.D.): [31] J. K. Author, “Title of thesis,” M.S. thesis, Abbrev. Dept., Abbrev. Univ., City of Univ., Abbrev. State, year. [32] J. K. Author, “Title of dissertation,” Ph.D. dissertation, Abbrev. Dept., Abbrev. Univ., City of Univ., Abbrev. State, year. Examples: [33] J. O. Williams, “Narrow-band analyzer,” Ph.D. dissertation, Dept. Elect. Eng., Harvard Univ., Cambridge, MA, 1993. [34] N. Kawasaki, “Parametric study of thermal and chemical nonequilibrium nozzle flow,” M.S. thesis, Dept. Electron. Eng., Osaka Univ., Osaka, Japan, 1993. Basic format for the most common types of unpublished references: [35] J. K. Author, private communication, Abbrev. Month, year. [36] J. K. Author, “Title of article,” unpublished. [37] J. K. Author, “Title of article,” to be published. Examples: [38] A. Harrison, private communication, May 1995. [39] B. Smith, “An approach to graphs of linear forms,” unpublished. [40] A. Brahms, “Representation error for real numbers in binary computer arithmetic,” IEEE Computer Group Repository, Article R-67-85. Basic format for standards: [41] Title of Standard, Standard number, date. Examples: [42] IEEE Criteria for Class IE Electric Systems, IEEE Standard 308, 1969. [43] Letter Symbols for Quantities, ANSI Standard Y10.5-1968. 4
PCI DATA SECURITY Counting the cost of non-compliance with PCI DSS Robert Kidd, general manager EMEA, Tripwire With penalties ranging from fines to the ultimate sanction of issuers removing the right to accept cards, organisations across every vertical market are now aware of the business risk linked to non-compliance with the Payment Card Industry Data Security Standard (PCI DSS). Add in the negative publicity associated with a breach in credit card security, and failure to address PCI requirements could become a business-threatening oversight. Serious misconceptions still exist, however, about the processes required to achieve compliance. Many organisations are under the misapprehension that compliance requires little more than completing the PCI DSS self-assessment questionnaire. This is far from the truth. In reality this questionnaire – which has to be completed quarterly – has been designed to simplify reporting, not compliance. Many organisations blithely believe they have achieved compliance after having followed the processes laid out in the questionnaire. Yet the questionnaire makes no mention of, for example, encryption key management, to which ten sub-requirements are dedicated in Section 3 of the PCI DSS. An organisation may well ignore these key management requirements if it is basing its compliance activity on the questionnaire, only to face an uncomfortable reality if and when a compromise occurs, and when an assessor turns up to conduct an audit. Newer versions of the questionnaire have been released that follow the PCI standard more closely. Nonetheless, this questionnaire is a supporting document of the standard and it does not, in any way, drive compliance requirements. Second time around The arrival of the PCI assessor is now creating significant issues for even those organisations that achieved compliance November 2008 first time around. These organisations are discovering that during re-compliance assessors are looking for in-depth validation of processes and policies. While initial compliance required organisations to demonstrate the existence of appropriate policies and procedures, the need one year on is for a detailed audit trail to provide evidence that all policies and procedures have been diligently followed. Companies often get caught out and have to pay out during the second audit. In addition, this evidence is becoming an area of major corporate pain. Although credit card associations themselves are unwilling to provide information on non-compliance, there is growing anecdotal evidence that many previously compliant organisations are struggling with the re-compliance process. These organisations are spending months to painstakingly collect and collate key audit trail information in order to demonstrate that the right processes have been followed – time and resources that few can afford in the current economic and regulatory climate. “The arrival of the PCI assessor is now creating significant issues for even those organisations that achieved compliance first time around” More worryingly for these organisations, there is also a growing awareness – and associated fear – that achieving annual compliance is not enough. As Hannaford grocery chain in North America recently discovered, PCI DSS compliance is no guarantee against system compromise. An estimated four million of its customers’ credit card and debit card records were accessed just months after the company passed its PCI DSS audit. The problem is that system changes can very quickly take an organisation out of its compliant state and create security vulnerability. Without continuous system monitoring it is impossible for an organisation to keep track of its compliance status between audits. Yet, with growing pressure across every market to improve the management of customer information, compliance with PCI DSS is becoming increasingly important. How can organisations manage this key compliance requirement without needing excessive resources or facing the continual fear of slipping out of a state of compliance as a result of system change? Simplified process Validating compliance can be fundamentally simplified through two basic steps. The first step to achieving compliance is to assess the current infrastructure stack’s level of compliance with the elements of the PCI DSS. This assessment will either confirm compliance or provide a gap analysis, highlighting current areas of potential risk and enabling organisations to effectively allocate resources. Once these issues have been addressed to achieve a known and trusted compliant state the organisation can put in Computer Fraud & Security 13 RBAC place system infrastructure monitoring with change auditing to ensure compliance is sustained. Changes are assessed, both against those logged in the change management database and the compliance requirements, and IT staff are immediately alerted to any unauthorised changes. This not only raises an alert if the organisation slips out of compliance but also ensures that potential security weaknesses are flagged before a customer data compromise can occur. To date the PCI DSS assessors have not mandated this level of continuous monitoring to ensure year-round compliance but there is a growing awareness that such activity is key to sustaining compliance and minimising business risk. Broad appeal Behind closed doors, 2007 saw a record level of fines issued for non-compliance and data breaches. Companies are struggling to collate information in order to demonstrate a robust audit trail of PCI DSS-compliant processes and still maintain compliance between audits. Without automation through continuous monitoring and reporting, the process is both resource intensive and potentially valueless. Why spend months achieving PCI DSS compliance only to slip out of compliance within weeks of achieving it, due to a system change? Organisations within the insurance, financial services, and hospitality industries that are increasingly looking to achieve PCI DSS compliance in order to protect customer information would do well to look at the experiences of retail organisations that have embarked upon compliance and re-compliance activity in recent months. It is possible to simplify and automate the compliance process but failure to understand the true compliance requirements and continually monitor for non-compliance will add cost, resources, and, critically, significant business risk. References 1. PCI Security Standards Council. “PCI DSS.” PCI Security Standards Council. October 2008 Version 1.2. 2 October 2008 . Adapting organisations for role-based access control measures Ivan Milenkovic Ivan Milenkovic, senior security consultant, Atos Origin Today’s mantra for information security is governance, risk management, and compliance (GRC). This ideal model, if implemented correctly, brings significant benefits to the security position of almost any organisation. Some important components in the achievement of full GRC are authorisation, segregation of duties, auditability and structured access-control. The most effective and easiest way of addressing each of these in a coordinated approach is through role-based access control (RBAC). The basic concept of RBAC is that, within an organisation, roles are created for various job functions, and staff members are assigned specific roles. Corresponding roles are created in the access control system, and access privileges are assigned to the roles, instead of staff members. Thus staff members acquire access privileges by being 14 Computer Fraud & Security assigned roles. The use of roles facilitates policy-based management of access control that mirrors the actual job requirements of an organisation’s staff.1 RBAC enables you to move away from point solutions and a silo culture that limits an organisation’s operational effectiveness. Define the case for RBAC Projects involving the introduction of roles and role-based access control are frequently described as costly, endless, or unsuccessful. In addition, the abundance of examples may make you ask if it is worth initiating such a project in the first place. Thus, it is very important to understand and outline the potential business drivers and benefits that could drive successful implementations. Depending on the industry or size of the organisation, the main drivers to consider are: • • • • • • Policy enforcement User lifecycle management Regulatory compliance Competitive advantage User experience Cost savings Building a successful business case would not be complete without defining the expected outcome based on the initial set of requirements, in order to satisfy: November 2008
computer law & security report 24 (2008) 540–554 available at www.sciencedirect.com www.compseconline.com/publications/prodclaw.htm Security and payment card industry regulation PCI DSS: Payment card industry data security standards in context Edward A. Morsea, Vasant Ravalb a Creighton University School of Law, USA Creighton University College of Business Administration, USA b abstract In recent years, the payment card industry has dealt with the matter of consumer liability for unauthorized charges. However, risks to consumers from identity theft and related use of personal data present new challenges for cardholders and those who profit from their usage, including merchants, banks, and payment card companies. This article examines the varying and sometimes complementary roles that legal obligations and private ordering play in incentivizing security measures to protect consumers. It shows that, in the legal environment within the United States, which lacks comprehensive legal protections for consumer privacy and security, private ordering rooted in economic incentives within the payment card industry can also bring about enhanced security for consumers. The Payment Card Industry Data Security Standards (‘‘PCI DSS’’) have emerged from private ordering, although threats of legal liability have also influenced their development and implementation. The article evaluates the basic framework of PCI DSS and raises issues for further development as the government, the legal system, and the industry cope with security threats in this environment. ª 2008 Edward A. Morse & Vasant Raval. Published by Elsevier Ltd. All rights reserved. 1. Introduction Payment cards – including credit cards, debit cards, and stored value cards – play a significant role in consumer transactions. In 2006, an estimated 2.27 billion payment cards were used in more than 74 billion transactions, with a total dollar volume of more than $5.9 trillion.1 More than half of this global 1 transaction market belongs to Visa, the world’s leading payment card firm.2 Other significant competitors in the United States include Mastercard, American Express, and Discover.3 The payment card industry is located between two interrelated markets: consumers who use payment cards (end-user or consumer market) and the merchants who accept them (merchants market).4 Some payment card systems are Source: VISA, Inc., Form S-4, June 22, 2007, at p. 134, available at http://www.sec.gov/Archives/edgar/data/1403161/ 000119312507140569/ds4.htm (accessed 4/1/08) [hereinafter VISA Form S-4 (2007)]. 2 Id. at 133. Visa estimates that more than 1.3 billion of its branded cards are in circulation in 2006, and that these cards are accepted at more than 26 million merchants and one million ATMs, with a total dollar volume of more than $3.2 trillion. This dollar volume represents a three-fold increase since 1997, when Visa first reported exceeding the $1 trillion mark. See Visa ‘‘History and Milestones’’ at http://corporate.visa.com (accessed 4/1/08). 3 See, e.g., Paycom Billing Services, Inc. v. Mastercard Intern., Inc., 467 F.3d 283, 285 (2d Cir. 2006). 4 See generally Steven Semeraro, Credit Card Interchange Fees: Three Decades of Antitrust Uncertainty, 14 Geo. Mason L. Rev. 941 (2007). Economists sometimes refer to this situation as a ‘‘two-sided market’’. A newspaper that sells to both readers and advertisers is also a two-sided market. See id. at 950. 0267-3649/$ – see front matter ª 2008 Edward A. Morse & Vasant Raval. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2008.07.001 computer law & security report 24 (2008) 540–554 unitary, in which the payment card company controls functions that include issuing cards to consumers and acquiring merchant accounts to accept those payments.5 Non-unitary systems involve a network in which independent entities, such as banks, compete for customers in both markets.6 For example, issuing banks will compete for cardholders, and acquiring banks will compete for merchant accounts.7 Relationships within the industry are illustrated in Fig. 1. In both unitary and non-unitary systems, industry profits depend on a seamless and trustworthy transaction network that fosters confidence among end-users.8 As with other networks involving diffused ownership, shared standards or rules across the two markets are needed to ensure effective functionality. Although some of these standards or rules may be imposed by the government or entities outside of the network, others are a product of private ordering that emerges within the network.9 This article addresses security standards that impact the protection of consumer data within the payment card industry and the influences of law and private ordering on emerging issues involving consumer protection. Consumer protection from liability for unauthorized charges is one important dimension of consumer trust. Early in the developmental history of credit cards,10 the Federal government provided legislation to protect consumers from unauthorized charges.11 However, the industry has chosen to expand consumer protections through contract by enacting ‘‘zero liability’’ policies. Such policies induce consumer trust and confidence, allowing them to acquire and use their cards without fear of liability for unauthorized charges from a lost or stolen card.12 Consumers are also learning that unauthorized payment card charges are not the only form of insecurity that should concern them. Recent years have seen identity theft, including leakage of credit card data, as the single largest category of frauds. Personal data associated with payment cards present additional risks that transcend the limited liability associated with the cards. In the wrong hands, such data can result 5 See id at 946. Discover and Diner’s Club are examples of networks classified primarily as unitary. 6 See id. Mastercard and Visa are examples of non-unitary systems. Other brands, including American Express, may have both unitary and non-unitary features. 7 See id. 8 See generally Vasant Raval & Aschok Fichadia, Risks, Controls, and Security 58–61 (Wiley, 2007) (discussing key objectives of information security). 9 See David V. Snyder, Private Lawmaking, 64 Ohio St. L. J. 371 (2003). 10 See United States v. Visa U.S.A., Inc. 163 F.Supp.2d 322, 333–34 (S. D.N.Y. 2001) (discussing emerging growth of payment card industry in early 1970s with formation of Visa and Mastercard organizations). 11 See 15 U.S.C. x 1643(a)(1) (limiting cardholder liability for unauthorized credit card charges to $50); 15 U.S.C. x 1693g(a) (limiting consumer losses for debt cards). As commentators have noted, this limitation applies regardless of any negligence on behalf of the consumer. See Clayton P. Gillette, Rules, Standards, and Precautions in Payment Systems, 82 Va. L. Rev. 181, 183 (1996). 12 See, e.g., Visa Security Program, Zero Liability at http://usa. visa.com/personal/security/visa_security_program/zero_liability. html?it¼cj/personal/security/visa_security_program/index.htmlj Zero%20Liability* (accessed 5/6/08). 541 in identity theft or other fraud, with devastating effects on consumers far beyond the payment card industry’s control. Large-scale security breaches involving payment card data, such as that experienced by TJX, Inc., have called attention to matters of security in this context.13 They have also spawned litigation to sort out the legal responsibilities for harms associated with those breaches.14 Government regulation of the security of personal data in the United States is neither comprehensive nor complete.15 Moreover, the assessment or allocation of costs associated with security breaches is currently unsettled, a matter that presents significant future challenges for this industry.16 Private ordering through contract has continued to play a dominant role in providing standards and facilitating compliance within the industry as it grapples with new technology and challenges to security. Economic incentives (or penalties) have thus far displaced legal proscriptions as the foundation for providing security within the payment card industry. This article provides an overview of seemingly cooperative efforts within the payment card industry (PCI) to provide common data security standards, known as PCI DSS. As discussed below, the PCI DSS model may indeed provide additional protection for consumers, but it appears to achieve those protections by imposing additional costs on merchants. Moreover, its protections leave open many legal and practical questions, including the effectiveness of consumer protection and the scope of cost shifting among participants in the network, which will need to be addressed in the future. Section 2 contextualizes the legal and economic environment in which the payment card industry operates, including the consequences for security breaches on various participants in the industry. Section 3 provides an overview of legislation and litigation as tools to incentivize investment in information security. Section 4 discusses PCI DSS as an alternative approach based on private ordering. Section 5 provides an assessment of the current state of data security in the payment card industry, summarizes unresolved issues, and identifies areas for further research and development. 2. Industry overview: costs, benefits, and risks of payment cards Payment card usage depends on interrelationships between two important groups: consumers and merchants. Understanding these interrelationships and the legal and economic environment in which they occur is a helpful predicate to understanding approaches to security. 13 See, e.g., In re TJX Companies Retail Security Breach Litigation, 524 F.Supp.2d 83, 85–86 (D. Mass. 2007). (‘‘In what has been described as the largest retail security breach ever, criminals hacked into the computer systems of TJX Companies, Inc. (‘‘TJX’’) and compromised the security of at least 45,700,000 customer credit and debit accounts.’’) 14 See id. at 86 (describing numerous cases filed involving this breach). 15 See Section 3, infra. 16 See id. 542 computer law & security report 24 (2008) 540–554 Brands impact Merchants Accept charges through Payment card system Use cards Consumers/card holders Can be Unitary Competes for merchant Issuing bank same accounts as the acquiring bank Non-unitary Issuing bank Acquiring bank Competes for cardholders Fig. 1 – Payment card industry features. 2.1. Demand interrelationships: consumers and merchants Consumer demand for payment cards depends significantly on a broad-based merchant acceptance, which ensures that payment card usage is convenient and practical. Payment card industry profits are directly linked to consumer usage; industry members thus have a shared economic interest to ensure that consumers prefer payment cards as the means to make their purchases. The industry often provides incentives to induce additional consumer demand, such as cash back, reward points, or airline miles. This consumer demand, in turn, affects the reciprocal willingness for merchants to accept this payment medium. Merchants incur transaction costs associated with accepting payment cards, and they may also incur other ancillary costs.17 As discussed below, the particular composition of those transaction costs can vary depending on whether a unitary or non-unitary payment card system is involved, but in either case the merchant experiences a discount from the price charged to the consumer, which provides the underpinning for industry costs and profits. In a non-unitary payment card system, banks that process merchant accounts (known as ‘‘acquiring banks’’) typically assess a small percentage of the transaction, and in some cases 17 These costs may include security measures, as discussed below. a fixed minimum fee may also be imposed. Transaction costs imposed by acquiring banks can vary depending on such factors as the type of firm involved, transaction volumes, and location. Banks are often reluctant to disclose those rates publicly, presumably due to competitive concerns among their clients. However, firms advertising on the Internet readily provide this information.18 Visa has publicly stated that it does not get involved in setting these charges imposed on merchants, which are characterized as a product of a competitive market.19 In addition to the fees imposed directly by an acquiring bank, the payment card association (such as Visa or Mastercard) in a non-unitary system will also impose a separate ‘‘interchange fee’’, which is not determined by the acquiring bank.20 The acquiring bank nevertheless collects this fee and remits it to the association. Some portion of this fee may also be shared with issuing banks, which thus benefit from 18 See, e.g., Merchant Accounts Express, Internet and Ecommerce Merchant Account Rates at (comparing fees with industry averages) http://www.merchantexpress.com/rates_internet.htm (accessed 5/7/08). 19 VISA Form S-4 (2007), supra note 1, at 147. (‘‘Merchant discount rates and other merchant fees are set by our acquirers without our involvement and by agreement with their merchant customers and are established in competition with other acquirers, other payment card systems and other forms of payment. We do not establish or regulate merchant discount rates or any other fees charged by our acquirers.’’) 20 See Semeraro, supra note 4, 14 Geo. Mason L. Rev. at 947. computer law & security report 24 (2008) 540–554 transactions by their customers as well as from any interest and fees charged to cardholders. The payment card industry takes the position that these fees are necessary to balance the respective costs and benefits from each side of this dual marketplace.21 However, this proposition is being contested in litigation.22 Despite the fact that merchants don’t receive the same kind of rewards as consumers and indeed they appear to incur transaction costs whenever a payment card is used, merchants may also benefit from payment card usage. Even cash-based businesses incur costs, including security, labor, and other transaction costs associated with counting and depositing cash. The relative magnitude of these costs and their impact on merchant preferences will vary depending on local conditions, but it is conceivable that payment cards could reduce or at least displace some of these costs.23 Other benefits from payment cards may include more rapid customer processing, thus enabling higher transaction volumes, reduced cycle time for cash collection, improved cash float, lower uncollectibles, and consequently, higher profits.24 Some businesses, such as those dealing by phone or by Internet, involve contexts where cash is simply not practical. (Even the neighborhood gas stations do not encourage you to go in their convenience stores any more just to pay for the gas.) Although competing payment forms, such as PayPal, have emerged, payment cards continue to be an important part of the business model in this environment. Moreover, merchants may also benefit from the consumer’s ability to finance a purchase that they might not otherwise afford. Some merchants may forego potential profits associated with granting store credit in favor of the payment card system. However, these merchants also avoid credit or payment risks, as the payment card system shifts these risks elsewhere within the payment network, primarily falling upon the issuing bank.25 2.2. Liability for costs from unauthorized charges The legal framework for risk-bearing is a significant factor affecting the development of payment systems, and particularly for credit card systems. Although a complete analysis of risk-bearing functions within the industry is beyond the scope of this article, risks associated with unauthorized 21 See id. at 947–49. See id. 23 See id. However, some commentators suggest that the cost variance is quite significant. See Adam J. Levitin, Priceless? The Social Costs of Credit Card Merchant Restraints, 45 Harv. J. on Legis. 1, 1–2 (2008). (‘‘On average, credit card transactions cost merchants six times as much as cash transactions and twice as much as checks or PIN-based debit card transactions.’’) 24 Visa promotes its contactless payment cards as tools for enhancing transaction volume. See VISA Form S-4 (2007), supra note 1, at 143. 25 Visa offers services to card issuers which allow transaction monitoring for the purpose of predicting bankruptcy of its cardholders, thus potentially permitting the avoidance of some of the associated losses. See VISA Form S-4 (2007), supra note 1, at 138. (‘‘Analyzing transaction attributes at the consumer level, AdvanceBK can identify accounts that do not demonstrate typical risky behaviors, but that may result in future bankruptcies.’’) 22 543 charges merit particular attention because of their close relationship to unauthorized access to cardholder information. As discussed below, risks for unauthorized charges have been resolved quite favorably to cardholders, but merchants have not fared so well. Lost, stolen, or counterfeit credit cards present a potential risk to the card payment system, which could potentially threaten the trust required for its viability. The consumer side of this trust equation has been addressed quite early in the history of credit cards through legislation favoring cardholders by limiting their liability for unauthorized charges.26 The industry has taken this further, as card payment systems have adopted ‘‘zero liability’’ policies for unauthorized charges.27 Such policies apparently reflect an effort to enhance consumer confidence in the payment card system by extending contractual protections that are greater than the statutory protections imposed by law. As a consequence of this pro-cardholder policy, someone else in the payment card network must bear the loss. In most cases, the merchant who received the unauthorized payment bears these direct costs through ‘‘chargebacks’’ to the merchant account. This essentially translates into two losses: First, the merchant loses the value of goods or services provided to the unauthorized user and second, the merchant may also incur additional fees associated with this chargeback. The ‘‘chargeback’’ process was explored recently in litigation involving Mastercard.28 After a cardholder disputes a charge, the issuing bank reverses the cardholder’s charge and notifies the acquiring bank to return these funds.29 The acquiring bank deducts the funds from the merchant’s account pending resolution of the dispute.30 The merchant may reverse a chargeback by producing a signed sales receipt from the cardholder, which is possible if the customer was present at the point of sale.31 For merchants selling by telephone or over the Internet, a signed receipt is not available. In these circumstances – known as ‘‘card not present’’ (‘‘CNP’’) transactions, the merchant bears the loss.32 If a merchant (i.e., the acquiring bank’s customer) has too many chargebacks, the acquiring bank may also be subjected to fines and penalties,33 although in practice these costs may ultimately be passed on to the merchants. Under this system, the direct costs of unauthorized transactions are passed back to the merchant, rather than born by the cardholder. This provides an incentive for merchants to monitor their customers and to take precautions against 26 See 15 U.S.C. x 1643(a)(1) (limiting cardholder liability for unauthorized credit card charges to $50); 15 U.S.C. x 1693g(a) (limiting consumer losses for debit cards). 27 See, e.g., VISA Security Program, Zero Liability (‘‘With Visa’s Zero Liability policy, your liability for unauthorized transactions is $0 – you pay nothing.’’), available at http://usa.visa.com/ personal/security/visa_security_program/zero_liability.html (accessed 6/9/08). 28 See Paycom Billing Services, Inc. v. Mastercard Intern., Inc., 467 F. 3d 283, 286–88 (2d Cir. 2006). 29 See id. at 286. 30 See id. 31 See id. at 286–87. 32 See id. 33 See id. at 287. 544 computer law & security report 24 (2008) 540–554 fraudulent usage. As the Second Circuit has explained, ‘‘From the acquiring bank’s vantage point, the failure to pass back these costs would not only decrease their revenue but would also increase the risks of fraud by eliminating any incentive on the part of CNP merchants to limit it.’’34 It is also possible that the merchant may, in turn, pass all or at least a portion of these costs to other customers, including those who do not use credit cards.35 However, constraints on this ability would include competition from firms that do not accept credit cards or discourage use of cards by offering cash payment bonus, and thus have cheaper cost structures, as well as the potential for fines and penalties that acquiring banks impose on excessive chargebacks, as noted above. Of course, the above discussion is not exhaustive or complete concerning the practices of payment card networks. Variations may also exist within particular card brands. As the Second Circuit recognized, in some cases acquiring banks in the Mastercard network may choose not to pass along the charges to its merchant customers.36 Contract terms and local practices may vary depending on the particular costs and benefits of enforcing their terms. Moreover, some of the costs of preventing fraudulent transactions are indeed born by the card payment companies themselves. For example, Visa has developed proprietary algorithms for fraud detection, which it uses to monitor accounts for the purpose of preventing unauthorized charges.37 Nevertheless, the general practices outlined here show significant correlation between the direct responsibility for losses in the system and the incentives for preventing those losses, which both rest primarily in the hands of merchants. 2.3. Problems of unauthorized disclosure Consumers also are subject to risks based on disclosure of their personal information that comes into the hands of merchants, including information provided through payment card transactions. Recent examples include Hannaford Grocery, where a breach of its computer system potentially caused 4.2 million credit and debit card numbers to be disclosed, leading to about 1800 fraud cases.38 Other notable retailers with breaches include TJ Maxx, which has been litigating the consequences of a massive security breach affecting customer payment card information.39 Of course, breaches from outside the traditional business community can also adversely impact consumers. There are broader, macro-forces at work as well. For example, following the disclosure of major data leakage or credit card fraud, the entire PCI suffers from consumer hesitancy to use payment cards, not just in the affected industry, but across the board.40 Although the allocation of losses for unauthorized charges, as outlined in Section 2.2 above, provides an incentive structure for merchants to prevent unauthorized transactions, similar incentives are not necessarily present in the realm of costs associated with a disclosure of personal information. A disclosure caused by lax security by one merchant does not necessarily generate cost in the form of unauthorized transactions on that same merchant. For example, if a breach at a university results in disclosure of payment card information from its customers, it would seem highly unlikely that the university would subsequently experience significant unauthorized charges or extend credit to persons who fraudulently obtained another’s identity. For some items, it can easily suspend the benefit obtained (e.g., tuition and/or degree credits) upon discovery of the fraud, which would not be possible for other consumer items, such as food, gasoline, or retail goods. Security breaches from one business or business sector may thus effectively shift costs to other firms, in addition to costs borne by the consumers themselves. An investment in security to protect cardholder data does not necessarily generate rewards measured in the form of cost savings from unauthorized transactions on one’s own account. Returns from an investment in security, if indeed they occur at all, are likely to be more indirect. For example, to the extent that customers are sensitive to security risks, they may seek out firms that provide the greatest protection and avoid those who do not. (However, this assumes that consumers have some means to differentiate based on this factor.) Alternatively, customers may simply choose to avoid payment cards in favor of cash or other payment means which do not present these threats. The possibility of externalized costs begs for a solution in order to prevent harms to consumers and to other firms who must bear the costs of unauthorized transactions. Several mechanisms are possible in this context. One approach involves legislation, regulations, or other law-based mechanisms to shift the incentive structure toward greater investments in data security. An overview of that approach is discussed in Section 3, below. Another approach relies on private ordering within the payment card industry, in which the industry polices its own ranks for the purpose of enhancing the security and profitability of all participants. The PCI DSS approach is discussed in Section 4. 34 Id. See Levitin, supra note 23, 45 Harv. J. on Legis. 1 (arguing that restraints on surcharges for credit card usage impose costs on all consumers). 36 See id. However, an industry source has told the authors that it would be unusual not to pass these costs through as a matter of contract. 37 See VISA Form S-4, supra note 1, at 146. 38 See Ross Kerber, Grocer Hannaford hit by computer Brach, Boston Globe, March 18, 2008, available at http://www.boston. com/business/articles/2008/03/18/grocer_hannaford_hit_by_ computer_breach/ (visited May 2, 2008). 39 See id. See also discussion at notes 52–60, infra. 35 3. Legal obligations for security Legal obligations to provide security for data belonging to others may come from many different sources. As one prominent commentator has explained: There is no single law, statute, or regulation that governs a company’s obligations to provide security for its information. Corporate 40 See Section 4, infra. computer law & security report 24 (2008) 540–554 legal obligations to implement security measures are set forth in an ever-expanding patchwork of state, federal, and international laws, regulations, and enforcement actions, as well as common law fiduciary duties and other express and implied obligations to provide ‘‘reasonable’’ or ‘‘appropriate’’ security for corporate data.41 Unlike the European Union, which has provided for the protection of personal information as a fundamental principle in the Data Protection Directive, regulation of security and privacy in the U.S. has been described as ‘‘very fragmented and segment-specific.’’42 Although a complete analysis of all sources for legal obligations is beyond the scope of this article, an overview is helpful in understanding the legal environment for security within the payment card industry. Four specific areas are addressed: (1) segment-specific privacy legislation, such as Gramm– Leach–Blilely; (2) Federal Trade Commission enforcement efforts based on ‘‘unfair’’ practices affecting consumers; (3) state-specific privacy and data security disclosure provisions; and (4) common law claims, including tort. 3.1. Segment-specific legislation Some segments of the economy, such as health care, financial services, and education, have garnered sufficient legislative attention to develop specific legislation that addresses privacy and security of personal information.43 For example, Gramm– Leach–Bliley (‘‘GLB’’),44 expresses the policy of Congress that ‘‘each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ non-personal public information.’’45 Toward this end, regulatory agencies governing financial institutions are directed to establish ‘‘appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards – (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security and integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.’’46 The scope of the ‘‘financial institutions’’ affected by these obligations is limited. Although a broad range of banks, brokers and dealers, investment companies, and insurance firms are 41 See Thomas J. Smedinghoff, It’s All About Trust: The Expanding Scope of Security Obligations in Global Privacy and E-Transactions Law, 16 Mich. St. J. of Int’l L. 1, 10 (2007) (footnotes omitted). 42 See id. at 16. 43 See, e.g., Health Insurance Portability and Accountability Act of 1996 (‘‘HIPAA’’), Pub. L. 104–191, 110 Stat. 1936 (1996); Gramm– Leach–Bliley Act (Financial Services Modernization Act of 1999), Pub. L. 106–102, 113 Stat. 1338 (1999); Family Educational Rights and Privacy Act of 1974 (‘‘FERPA’’), Pub. L. 93–380, 88 Stat. 571 (1974). 44 Relevant provisions addressing privacy are codified at 15 U.S. C. xx 6801-09. 45 15 U.S.C. x 6801(a). 46 Id. x 6801(b). 545 included, most merchants are not.47 Various federal and state agencies regulating the covered institutions are responsible for implementing the requirements of the Act.48 Among these institutions, the Federal Trade Commission (FTC) has invested the most effort in enforcement of Gramm–Leach–Blilely.49 As discussed below, the FTC has also undertaken enforcement efforts to protect consumers from data security breaches from firms outside the scope of Gramm–Leach–Bliley. 3.2. The Federal Trade Commission The Federal Trade Commission has been instrumental in extending protections to consumers outside the scope of segment-specific legislation.50 The agency’s website states that ‘‘[P]rivacy is a central element of the FTC’s consumer protection mission’’, and it views the ‘‘security of personal information’’ as a component of privacy.51 Recent enforcement actions by the FTC have included claims against retailer TJX, Inc., a retailer engaged in selling apparel and home fashions. According to the FTC’s complaint, TJX used its computer networks to obtain authorization for payment card purchases.52 Until December 2006, it also stored some of that information on its in-store and corporate networks in an unencrypted form.53 The FTC alleged that TJX’s practices, ‘‘taken together, failed to provide reasonable and appropriate security for personal information on its networks.’’54 As a result, the networks were hacked, compromising ‘‘tens of millions of unique payment cards used by consumers’’ as well as personal information of about 455,000 consumers.55 In particular, the FTC alleged that TXJ: (a) created an unnecessary risk to personal information by storing it on, and transmitting it between and within, instore and corporate networks in clear text; 47 See id. x 6805(a). A merchant may nevertheless be subject to the privacy provisions if the merchant extends credit or engages in long-term leases of property, as in the case of an automobile dealer. See, e.g., the FTC’s Privacy Rule and Auto Dealers: Frequently Asked Questions, at http://www.ftc.gov/bcp/conline/ pubs/buspubs/autoglb.shtm (visited May 2, 2008). FTC regulations also point out that third parties who are not financial institutions may be subject to the G–L–B provisions to the extent they receive information from a financial institution. See 16 C.F.R. Part 313, Privacy of Consumer Financial Information; Final Rule, 65 Fed. Reg. 33,646 (May 24, 2000). Financial institutions are responsible for their agents. See 65 Fed. Reg. at 33,651. Moreover, third parties who receive information from financial institutions effectively ‘‘step into the shoes’’ of the financial institution regarding their rights and obligations. See 65 Fed. Reg. at 33,667. 48 See id. 49 See Kathleen A. Hardee, The Gramm–Leach–Bliley Act: Five Years after Implementation, Does the Emperor Wear Clothes? 39 Creighton L. Rev. 915, 927 (2006). 50 See Smedinghoff, supra note 41, 16 Mich. St. J. of Int’l Law at 17–18; Hardee, supra note 49, 39 Creighton L. Rev. at 927–33. 51 www.ftc.gov/privacy/ (visited 5/2/2008). 52 See In the Matter of The TJX Companies, Inc., FTC C-072-3055, 5–6, available at http://www.ftc.gov/os/caselist/0723055/080327 complaint.pdf (visited 5/2/2008). 53 See id. 7. 54 See id. 8. 55 See id. at 9–11. 546 computer law & security report 24 (2008) 540–554 (b) did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to in-store networks without authorization; (c) did not require network administrators and other users to use strong passwords or to use different passwords to access different programs, computers, and networks; (d) failed to use readily available security measures to limit access among computers and the Internet, such as by using a firewall to isolate card authorization computers; and (e) failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by patching or updating anti-virus software or following up on security warnings and intrusion alerts.56 The legal basis for this complaint is Section 5(a) of the Federal Trade Commission Act, which proscribes ‘‘unfair or deceptive acts or practices in or affecting commerce.’’57 It should be noted that nothing in the complaint alleged that the company failed to follow advertised policies, which would presumably consist in a deceptive practice. Such was the case in another enforcement action based on hacking a mortgage lender’s website, where the omissions by the company were arguably inconsistent with its stated privacy policy.58 Thus, the complaint here rests on ‘‘unfairness’’, an amorphous concept that may lend itself to administrative abuse.59 The FTC complaint against TJX was resolved by an agreement containing a consent order. In that order, TJX agreed to take steps to improve its network security and to obtain biennial assessment reports from ‘‘an independent, thirdparty professional, who uses procedures and standards generally accepted in the profession.’’60 However, the agreement specifically states that it ‘‘does not constitute an admission by [TJX] that the law has been violated..’’ An FTC complaint is not itself a finding of a legal violation, only an indication that there is a reason to believe the law has been violated. The foundation for finding a legal violation here, therefore, has still not been tested in the courts. Nevertheless, it is significant that the agency has taken steps to enforce security in this manner, and this may indeed portend greater governmental involvement in these areas outside of the particular scope of industry-specific legislation, such as Gramm–Leach–Bliley. A recent news release announcing the settlement with TJX quotes the FTC Chairman as follows: By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure, said FTC Chairman Deborah Platt Majoras. ‘‘These cases [including TJX] bring to 20 the number of complaints in which the FTC has charged companies with security deficiencies in protecting sensitive consumer information. Information security is a priority for the FTC, as it should be for every business in America.’’61 However, the limitations of FTC enforcement are significant. Twenty complaints, as noted above, is a small number in relation to the hundreds of breaches identified by websites, such as www.privacyrights.org. Given the limited resources for enforcement, agency regulation is unlikely to provide a complete solution.62 Moreover, delegation of important policymaking authority to an agency in this context has raised other structural concerns, which goes to the heart of appropriate governmental powers in a democracy.63 3.3. 56 Id. 8. It should be noted that these requirements correspond to those in PCI DSS, as discussed in Section 4, infra. 57 See id. 13. Section 5 of the Federal Trade Commission Act is codified at 15 U.S.C. x 45. 58 See Press Release, Real Estate Services Company Settles Privacy and Security Charge (May 10, 2006), at http://www.ftc.gov/ opa/2006/05/nationstitle.shtm (accessed 5/2/08) (regarding In the Matter of Nations Title Agency, Inc., FTC File No. 0523117). 59 See Michael D. Scott, The FTC, The Unfairness Doctrine, and Data Security Breach Litigation: Has the Commission Gone Too Far? 60 Admin L. Rev. 127, 135 (2008) (noting other ‘‘unfairness’’ cases and the ‘‘checkered history’’ of this concept). As a further example, an FTC complaint against Reed Elsevier and Seisint alleges, among other things, that these firms ‘‘allowed customers to use easy-to-guess passwords’’ to access customer databases that included sensitive customer information. See News Release, Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers’ Data (March 27, 2008), at http://www.ftc.gov/opa/2008/03/datasec.shtm (accessed 5/2/08). Although strong passwords are important security tools, it is hard to say that merely permitting a consumer to choose a weak one is somehow ‘‘unfair’’ to the consumer. 60 In the Matter of The TJX Companies, Inc., File No. 072 3055, Agreement Containing Consent Order, at http://www.ftc.gov/os/ caselist/0723055/080327agreement.pdf (accessed 5/2/08). A news release announcing this settlement was published March 27, 2008. State laws Another approach to legislation involves the states, which have been actively pursuing additional legal protections for their citizens in the matter of security and privacy. Significant state efforts include legislation to extend more general privacy protection to citizens and rules requiring the disclosure of security breaches. An overview of each of these two approaches and their relationship to payment card information security is discussed below. 3.3.1. State privacy protection initiatives As discussed above, the Federal government has not adopted a comprehensive approach to consumer privacy. Even segment-specific approaches, such as Gramm–Leach–Bliley, specifically recognize the possibility that states may provide greater protection if they choose.64 61 See News Release, Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers’ Data (March 27, 2008), at http://www.ftc.gov/opa/2008/03/datasec. shtm (accessed 5/2/08). 62 See Danielle Keats Citron, Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age, 80 S. Cal. L. Rev. 241, 256 (2007). 63 See generally Scott, supra note 59, 60 Admin L. Rev. at 143 ff. 64 See 15 U.S.C. x 6807(b). computer law & security report 24 (2008) 540–554 California has taken the lead in this area by providing a broad-based statute for consumer protection, which provides in part: ‘‘A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.’’65 Moreover, businesses that deal with nonaffiliated third parties are required to contract for such protections on behalf of their customers.66 Waiver of these protections is prohibited as contrary to public policy.67 Customers injured by a security violation may institute a civil action for damages.68 Several other states have also followed a similar approach.69 Significantly, these statutes generally do not prescribe the parameters for reasonable security procedures and practices. However, some states have adopted particular limits. For example, California also proscribes merchants from requiring cardholders to write down personal information that may be stored as a condition of accepting a credit card for payment.70 California law also suggests encryption as a means to protect consumer data.71 3.3.2. State security breach disclosure laws In addition to imposing some general standards for security, state laws may also seek to protect consumers by requiring that firms that experience a breach in their security systems provide notification to affected consumers. More than 30 states have enacted these disclosure requirements, which vary considerably in their details.72 Here again, California is one of the leading states, and a brief look at its statute is helpful in understanding the thrust of this approach for legislating enhanced security. Under California law, ‘‘a person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.’’73 ‘‘Personal information’’ is defined to include information that is not publicly available from government records, and it includes account numbers or credit or debit card numbers.74 The disclosure requirement 547 applies, in this case, only to unencrypted information, although the statute does not provide for a particular encryption standard. The means of disclosure may include written or electronic notice to the person, or it may also include ‘‘substitute notice’’, which may include ‘‘conspicuous posting’’ on a website or ‘‘notification to major statewide media.’’75 Disclosure laws potentially provide an important consumer benefit, in that they permit consumers to take appropriate remedial action in response to a breach. One such action is the implementation of a freeze on one’s credit report, which may prevent so-called ‘‘new account fraud’’ that may occur as a result of stolen personal information.76 Moreover, they provide another important function that is potentially even more significant: they focus public attention on the information security practices of firms and thus potentially impact the value of consumer goodwill associated with these firms. To the extent that the marketplace is sensitive to security threats, consumers may choose to avoid firms with poor security reputations. As discussed in Section 4, below, the payment card industry is very concerned about this possibility. The focus on disclosure and its attendant consequences reinforce the market-based incentives that ultimately appear to be a very important influence favoring strong security protections. However, disclosures also may entail significant costs for business.77 3.3.3. Difficulties with state regulation In a Federal system, state laws present an opportunity to for citizens to enact laws that reflect their particular values and priorities. As Justice Brandeis famously stated, ‘‘It is one of the happy incidents of the Federal system that a single courageous state may, if its citizens choose, serve as a laboratory.and try novel social and economic experiments without risk to the rest of the country.’’78 However, the modern technological environment makes it comparatively difficult to constrain the impact of state regulation to enterprises within the state.79 Firms with customers in a state with particular privacy laws may face difficult questions in determining whether they are subject to these laws, even though they are not physically present in the jurisdiction. Moreover, firms with operations in multiple states, which may include networks that connect those operations, may be practically required to comply with the most stringent of state laws.80 However, as 65 See Cal. Civil Code x 1798.81.5(b). See id. x 1798.81.5(c). 67 See id. x 1798.84(a). 68 See id. x 1798.84(c). 69 See generally Smedinghoff, supra note 41, at 18–19. 70 See Cal. Civ. Code x 1747.08, which is part of the ‘‘Song–Beverly Credit Card Act’’. See Florez v. Linens ’N Things, Inc., 108 Cal. App. 45h 447, 450 (Cal. App. 2003). 71 See Cal. Civ. Code x 1798.82(a). 72 See, e.g., Ian C. Ballon, A Legal Analysis of State Security Breach Statutes, 903 PLI/Pat 135 (June–July 2007) (noting differences that include the triggering event, the scope of protected information, exemptions from disclosure, and the form of notice, among others); Paul M. Schartz & Edward J. Janger, Notification of Data Security Breaches, 105 Mich. L. Rev. 913 (2007). 73 Cal. Civ. Code x 1798.82(a). 74 See id. x 1798.82(e),(f). 66 75 See id. x 1798.82(g). See Kristan T. Cheng, Note, Identity Theft and the Case for a National Credit Report Freeze Law, 12 N.C. Banking Inst. 239, 240 (2008). 77 See Michael E. Jones, Data Breaches: Recent Developments in the Public and Private Sectors, 3 I/S: A Journal of Law and Policy for the Information Society, 555, 576–80 (Winter 2007–2008) (summarizing various cost estimates, which range from about $50 to more than $300 per breached record). 78 New State Ice Co. v. Liebman, 285 U.S. 282, 311 (1932) (Brandeis, J., dissenting). 79 See Edward A. Morse & Ernest P. Goss, Governing Fortune: Casino Gambling in America 143–44 (2007) (addressing concerns about the Internet’s impact on the conventional wisdom of Justice Brandeis). 80 See Ballon, supra note 72, at 137–38. 76 548 computer law & security report 24 (2008) 540–554 discussed in Section 4 below, similar conditions may also affect private ordering when competing obligations imposed by multiple vendors are not harmonized. 3.4. Tort claims Courts may also contribute to enforcing security obligations through developing legal theories to exact recoveries from those who fail to exercise due care over information entrusted to them. Two examples include tort81 and bailment.82 To date, neither theory has proven very successful in bringing about recoveries against the industry, but the possibility of future success under an expanded version of a common law theory is undoubtedly affecting industry policies.83 Tort theories have been raised by several legal commentators as a possible means to induce appropriate care by those with consumer information.84 By allowing a recovery of damages, the tort claim may effectively force those who maintain inadequate security to internalize the costs associated with their breach. However, various legal barriers have been raised to this approach. Consumer standing based on actual injury is one such problem.85 For example, in Bell v. Acxiom Corporation,86 a consumer filed a complaint seeking damages against a firm that stored personal, financial, and company data. The firm’s computer was hacked and client files were compromised, giving rise to a class action lawsuit. The plaintiff alleged that as a result of the breach, she suffered an increased risk of unsolicited e-mail and identity theft. However, the court found that neither of these risks was sufficient to cause her to suffer concrete damages sufficient to satisfy the standing requirement.87 Thus, consumer protection rules that limit liability for unauthorized charges also contribute to a litigation bar that protects the industry from a tort claim. In another recent case, Pisciotta v. Old Nat. Bancorp,88 the Seventh Circuit rejected the limited approach to standing adopted in Bell. However, it nevertheless concluded that plaintiffs who had alleged that they had incurred costs for credit monitoring as a result of a security breach would not have a compensable claim under Indiana law. The court based its decision in part on the fact that the Indiana data breach 81 See, e.g., Bell v. Acxiom Corporation, 2006 WL 2850042 (E.D. Ar. October 3, 2006); In re TJX Companies Retail Sec. Breach Litigation, 524 F.Supp.2d 83, 90 (D. Mass., 2007). 82 See Richardson v. DSW, Inc., 2005 WL 2978755 (N.D. Ill 2005). 83 See text at note 103, infra. 84 See, e.g., Citron, supra note 49, 80 S. Cal. L. Rev. 241, 261–67 (addressing proposals by several commentators); Vincent R. Johnson, Data Security and Tort Liability, 11 J. Internet L. 22 (2008); Michael L. Rustad & Thomas H. Koenig, Extending Learned Hand’s Negligence Formula to Information Security Breaches, 3 I/S: J. L. & Pol’y for Info. Soc’y 237 (2007). 85 See Scott, supra note 59, 60 Admin L. Rev. at 154–59 (discussing cases and a report by the United States General Accounting Office discussing the speculative nature of consumer injury in security breaches). 86 2006 WL 2850042 (E.D. Ar. October 3, 2006). See also Ambrose, et al., Survey of Significant Consumer Privacy Litigation in the United States in 2007, 63 Bus. Law. 653, 653 (2008). 87 See id. (citing numerous other cases reaching similar results). 88 499 F.3d 629 (7th Cir. 2007). notification statute did not provide a private cause of action, and that in the absence of ‘‘a single case or statute, from any jurisdiction, authorizing the kind of action’’, the court refused to create a ‘‘novel tort claim’’ in this context.89 The economic loss doctrine, which limits the scope of recoverable damages in tort to personal injury or property damage, may also serve as a bar to recoveries based on negligence or strict liability.90 In recent litigation concerning the TJX Companies data security breach, the economic loss doctrine was raised by TJX and its acquiring bank in response to a claim for damages by issuing banks.91 The issuing banks raised a tort claim based on negligence, seeking damages measured by the costs they incurred for credit cards compromised by hackers who accessed the TJX computer network. However, the court held that those damages were barred by the economic loss doctrine.92 Significantly, the court also rejected an argument that property damages had occurred because cards had to be replaced. According to the court, physical damage was required to satisfy the property damage exception, not merely intangible economic damages.93 As the court in TJX recognized, the rationale of the economic loss doctrine is ‘‘partly that ‘a commercial user can protect himself by seeking express contractual assurances concerning the product (and thereby perhaps paying more for the product) or by obtaining insurance against losses.’’’94 Ironically, the issuing banks were denied the opportunity to present a contract claim due to the absence of privity of contract between them and the merchant. As discussed below, the complex web of legal relationships within the various independent actors in the payment card industry can present formidable challenges to direct contractual arrangements in this context. It should be noted that TJX ultimately settled out of court with the issuing banks by offering to pay approximately $40.9 million.95 It also settled with consumers who brought a class action lawsuit by agreeing, among other things, to providing credit monitoring for certain customers, vouchers of up 89 See id. at 636–40. For background on the economic loss limitation, see, e.g., Boggs, et al., Evolution of the Economic Loss Doctrine in Information Age Disputes Involving Electronic Data Storage Products, 73 Defense Counsel J. 129 (2006) (articulating purposes of economic loss doctrine); Steven C. Tourek, et al., Bucking the ‘‘Trend’’: The [UCC], the Economic Loss Doctrine, and Common Law Causes of Action for Fraud and Misrepresentation, 84 Iowa L. Rev. 875 (1999) (discussing fraud and misrepresentation exceptions to doctrine). 91 In re TJX Companies Retail Sec. Breach Litigation, 524 F.Supp. 2d 83, 90 (D. Mass. 2007). 92 See id. at 90. 93 See id. (following Penn. State Employees Credit Union v. Fifth Third Bank, 398 F.Supp.2d 317, 330 (M.D. Pa. 2005)). It should be noted that Penn. State Employees Credit Union was recently reversed by the Third Circuit. However, the significance of this result is questionable, given that it dealt with an earlier version of the Visa rules. See R. Christian Bruce, Retailer, Bank Had Duties Under Visa Rules to Guard Credit Card Information, 13 BNA Electronic Commerce and Law Report 1012 (July 23, 2008). 94 Id. (citation omitted). 95 The TJX Companies, Inc., Form 8-K, November 29, 2007, available at http://www.sec.gov/Archives/edgar/data/109198/0000950 13507007247/b67665tje8vk.htm (accessed 5/6/08). 90 computer law & security report 24 (2008) 540–554 to $30 for those who incurred costs, with a second $30 voucher if additional costs can be proven (including lost time at $10/h); sale offerings of its merchandise for customers, and commitments to minimize the likelihood of intrusions in the future.96 Although particular assessments of legal risks underpinning these settlements are not entirely clear, there is a business advantage in obtaining a certain and predictable resolution and in removing a cloud of litigation that could affect shareholder and customer perceptions for years to come. Concerns about additional government regulation may also be considered. At least one state has enacted legislation to address the concerns of issuing banks in response to the TJX security breach. Effective August 1, 2007, Minnesota businesses that accept payment cards are prohibited from retaining customer information longer than 48 h after completing a transaction.97 Effective August 1, 2008, Minnesota law will also expressly permit an action for damages to recover ‘‘costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders.’’98 Other states considered but did not enact similar legislation.99 It remains to be seen whether this legislation will indeed protect consumers, and how such legislation will impact the payment card industry. It potentially injects the threat of significant consequential damages into data security breaches occasioned by a merchant’s lack of security.100 Judge-made doctrines that prevent recovery may also be changed or applied differently by judges in future cases. If that should occur, the industry may well seek legislative limits to contain liability exposure. The proper standard of care for liability is a significant issue in the context of tort liability. If left to judicial determination, this standard is likely to be inconsistent and potentially difficult for business to apprehend. In the meantime, the industry appears to be taking its own steps to address security concerns through private ordering. Industry practices may ultimately provide a standard of care that will emerge as the benchmark for those who deal with payment card information. 4. Private ordering through standards: PCI DSS Legal authority is not the only means to regulate privacy and security. As legal scholars have recognized, it is possible for other norms of behavior to develop within particular social contexts with only limited, if any, state intervention.101 The 96 The TJX Companies, Inc., Form 8-K, September 21, 2007, available at http://www.sec.gov/Archives/edgar/data/109198/0000950 13507005786/b66967txe8vk.htm (accessed 5/6/08). 97 See Minn. Stat. Ann. x 325E.64(b). 98 See id. x 325E.64(c). 99 See Donald G. Aplin, TJX Breach Prompts Six States to Consider Merchant Liability; Minnesota Clears Measure, 12 BNA Electronic Commerce Report 473, May 23, 2007. 100 See Richard A. Epstein and Thomas Brown, Cybersecurity in the Payment Card Industry, 75 U.Chi. L. Rev. 203, 221 (2008). 101 See, e.g., Gralf-Peter Calliess, Jorg Freiling, & Moritz Renner, Law, the State, and Private Ordering: Evolutionary Explanations of Institutional Change, 9 German L.J. 397, 403–05 (2008). 549 private law of contract may provide a basis for mutual agreement among members of a network or other social group, thus allowing participants to govern themselves. In this sense, legal institutions may become the means of enforcement, whether directly or indirectly (as in the case of an agreement reached through private arbitration, which displaces judicial machinery of the state for the initial decision making process but may ultimately depend on that machinery to enforce an arbitration award). Non-legal sources, such as codes of conduct or even market expectations, may also be effective, and these may depend on the power of reputation, rather than law.102 The payment card industry (PCI) has recognized the potential for adverse market impacts from insecurity that threatens the consumer side of its two-sided marketplace. Not only may insecurity reduce consumer transactions (and the associated revenue), it may also provide an additional threat of government intervention. PCI leader Visa has stated the following in a recent filing with the U.S. Securities and Exchange Commission: We and our customers, merchants, and other third parties store cardholder account information in connection with our payment cards. In addition, our customers may use third-party processors to process transactions generated by cards carrying our brands. Breach of the systems on which sensitive cardholder data and account information are stored could lead to fraudulent activity involving our cards, damage the reputation of our brands and lead to claims against us. .If we are sued in connection with any data security breach, we could be involved in protracted litigation. If unsuccessful in defending such lawsuits, we may be forced to pay damages and/or change our business practices or pricing structure, any of which could have a material adverse effect on our revenue and profitability. In addition, any damage to our reputation or our brands resulting from an account data breach at one of our customers or merchants or other third parties could decrease the use and acceptance of our cards, which could have a material adverse impact on our payments volume, revenue and future growth prospects. Finally, any data security breach could result in additional regulation, which could materially increase our costs.103 As can be seen from the above statement, both legal and non-legal considerations are present. In an environment of legal uncertainty, legal claims presented through the courts have the potential to impose significant costs, regardless of whether the case concludes in legal liability. Moreover, the public attention from such claims may also inject additional costs through regulation imposed by government, as opposed to that designed by the industry itself. 102 See id. at 404. (‘‘The threat of reputation-losses in markets that are ‘value-sensitive’ makes defective behavior unlikely.’’) 103 VISA Form S-4, supra note 1, at 19. See also id. at 19–20. (‘‘If fraud levels involving our cards were to rise, it could lead to reputational damage to our brands, which could reduce the use and acceptance of our cards, or to greater regulation, which could increase our compliance costs.’’) 550 computer law & security report 24 (2008) 540–554 Table 1 – PCI DSS Requirements and Categories Requirement Description Build and maintain a secure network. 1 2 Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect cardholder data. 3 4 Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks. Maintain a vulnerability management program. 5 6 Use and regularly update anti-virus software. Develop and maintain secure systems and applications. Implement strong access control measures. 7 8 9 Restrict access to cardholder data by business need to know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data. Regularly monitor and test networks. 10 11 Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain an information security policy. 12 Maintain a policy that addresses information security. See https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf (visited 5/15/08). For this reason, industry leaders have cooperated to develop their own standards for security, and these are known as the Payment Card Industry Data Security Standards (PCI DSS). As Visa has explained: In a cooperative industry effort in 2006, Visa U.S.A. co-founded the Payment Card Industry Data Security Standards (PCI DSS) Council, an independent council that established security standards to protect cardholder data and to prevent fraud. In December 2006, Visa U.S.A. announced the introduction of the PCI Compliance Acceleration Program (PCI CAP) for merchants and VisaNet processors. The program uses both financial incentives and fines to encourage merchants to comply with the PCI industry standards.104 Thus, through the combination of adopting industry standards and providing a system of private incentives and penalties within the industry, as well as additional programs for compliance for entities associated with particular card brands, the industry is seeking to address its own data security needs. 4.1. The standards The PCI data security standards are called ‘‘requirements.’’ When the PCI Council was formed as a non-profit entity, each of the council’s primary backers (i.e., major card issuers) already had in place their own data security requirements. The Council compiled a unified set of standards, presumably working through an analysis and synthesis of what was already in place in each card issuer organization. Although a form of ‘‘due process’’ was followed by the Council in 104 Id. at 214. arriving at the standards, concerns remain among the market players, especially merchants and banks, that the feedback from them on earlier drafts of the standards was not fully addressed. New updated standards are expected in October 2008, which may address some of these concerns.105 Version 1.1 of the standards, released in September 2006, has 12 major requirements divided into six categories. Table 1 presents these requirements and categories. Each requirement has sub-requirements and some have sub-sub-requirements. For example, Requirement 3, regarding the protection of stored cardholder data, provides several sub-requirements, which range from ‘‘keep[ing] cardholder data storage to a minimum’’ to ‘‘rendering cardholder data unreadable’’. Particulars regarding encryption and key storage are discussed as a means of making data unreadable, but businesses unable to encrypt, whether due to ‘‘technical constraints or business limitations’’, are allowed to adopt ‘‘compensating controls’’ designed to mitigate the associated risks.106 Although a complete analysis of the particulars of PCI DSS is beyond the scope of this article, some general observations about the standards are in order. The standards are neither linear nor sequential; they vary in nature, scope, and granularity. Some standards (e.g., #1, maintain firewall and #4, encrypt transmission) are prescriptive while others (e.g., #3, protect stored data, and #6, develop and maintain secure 105 See Press Release, May 14, 2008 available at https://www. pcisecuritystandards.org/pdfs/05-14-08.pdf (visited 5/15/08). These updated standards will ‘‘enhance the clarity of its technical requirements, offer improved flexibility and address new and evolving risks and threats.’’ However, the updated standards will ‘‘not include any new core requirements beyond the existing 12 in place.’’ 106 See Appendix B, available at https://www.pcisecuritystandards. org/pdfs/pci_dss_v1-1.pdf (visited 5/15/08). computer law & security report 24 (2008) 540–554 systems) are normative in the sense that they leave the particular means of implementing protection and security to the entity responsible for compliance. Standard 7, ‘‘business need to know’’, contains significant ambiguity and thus accommodates potential variation depending on the business model of the particular user. Finally, the numerical order of the standards does not bear out any significance. For example, the final requirement (#12, policy) sets the tone of everything that is expected and yet, it is the very last thing on the list. Taken as a whole, a systemic view of the requirements is shown in Fig. 2. In interpreting the overview in Fig. 2, one can easily surmise that protecting stored and transmitted data is not an esoteric venture. Given today’s integrated systems, often based on an enterprise resource planning (ERP) platform and linked inter-organizationally, it is difficult to pick data security as a sole objective. The entire spectrum of systems and processes, databases, users, and communication links are impacted.107 Further, what makes sense for PCI compliance may also be a good case for implementation across all critical systems. The situation here seems to be far different than that offered by the Sarbanes–Oxley Act of 2002, where Section 404 requirements are limited to those processes that impact financial results and their disclosure – a less comprehensive sphere of activity than one affecting all of the entity’s systems and processes. 4.2. Affected merchants The PCI DSS affect merchants – the authorized acceptors of credit cards. The industry has classified merchants into four levels and for each level, compliance with the requirements is articulated separately, as shown in Table 2.108 One key rationale for classifying merchants is to balance the cost of compliance with the perceived value of such compliance. This is a classic business-size problem encountered in almost all cases of compliance. For example, regarding the Sarbanes–Oxley Act, the debate is still on whether to require smaller public companies to comply in the same manner as their larger counterparts. 4.3. Enforcement issues The promulgation of standards by a separate standard-setting body, i.e., the PCI Security Standards Council (PCI-SSC) and a determination of who is affected by such standards are only initial steps in the process. Those standards must ultimately be adopted and implemented among the various participants in the payment card network. As suggested in Table 2, below, some form of validation or certification is helpful in order to ensure compliance with the standards. These two aspects of enforcement are discussed briefly below. 4.3.1. Of course, PCI DSS is not the only broadly based standard available for information security. Others may include those promulgated by the International Standards Organization (e.g., ISO 17799 or 27001) or the National Institute of Standards and Technology. See Scott, supra note 59, 60 Admin L. Rev. at 176–77 (mentioning these and other alternatives). 108 These classifications originated in Visa USA definitions. See www.gfi.com (accessed 5/14/08). Adoption and implementation: the limits of contract The PCI-SSC describes itself as ‘‘an open global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection.’’109 Neither the PCI-SSC nor its participating organizations110 have any independent legal authority to enforce those standards. Indeed, implementing the standards is not even a condition of membership for a participating organization.111 Contract is the operative means for implementing PCI DSS, and those contractual relationships extend among various members of the payment card network, rather than to the PCI-SSC or another common umbrella organization. Thus, each payment card brand (e.g., Visa, Mastercard, Discover, American Express) will have its own contractual relationships with members of its payment card network. Those contracts will require compliance with PCI DSS and they will define the consequences of noncompliance, such as fines, penalties, or enhanced transaction charges. Compliance is thus a matter of economic cooperation among the members of the network, which is induced through contract. The scope of direct control over the adoption of security standards, however, depends on those with whom there is privity of contract. This limitation was made clear in the TJX litigation, where issuing banks sought to recover from Fifth Third Bank, the acquiring bank for TJX, based on a theory that they were third-party beneficiaries of contracts between others. In particular, these contracts were between TJX and Fifth Third (i.e., merchant and acquiring bank) and between Fifth Third and Visa and Mastercard, respectively (i.e., acquiring bank and card payment network). Although both of these contracts required the merchant and/or the acquiring bank to maintain security, the issuing bank was not a party to either contract, and thus could not claim damages based on breach. Under the applicable state law, the parties to those contracts could determine whether they intended to benefit a nonparty; unfortunately for the issuing banks, the court found no such intention.112 Merchants, such as TJX, who lack a direct contractual relationship with the payment card company, such as Visa or Mastercard, have a contractual relationship with their acquiring bank. Acquiring banks are induced to include requirements for security in the hands of their merchant customers due to threats of fines and penalties imposed by the payment card company as a result of noncompliance. The ultimate penalty, in theory, would be suspension or removal from the payment card network. In the case of TJX, the acquiring bank, Fifth Third Bank, faced fines and penalties from Visa due to the noncompliance of its merchant customer. According to a settlement 109 See https://www.pcisecuritystandards.org/ (accessed 5/7/08). As of May 7, 2008, there are 439 participating organizations (including those with pending applications), which include various merchants, banks, and service providers in the payment card industry. See https://www.pcisecuritystandards.org/join/ participating_organizations.htm (accessed May 7, 2008). 111 See https://www.pcisecuritystandards.org/pdfs/Participating_ Organization_Application.pdf (accessed May 7, 2008). 112 See In re TJX Companies Retail Security Breach Litigation, 524 F. Supp.2d 83, 88–90 (D. Mass, 2007). 110 107 551 552 computer law & security report 24 (2008) 540–554 Policy (12) Logical (8) Physical (9) Boundary (1) System/ Application development (6) Data tran smission Testing (11) System configuration (2) Access/ Authentication (7) (4) Data protection (3) Monitoring (10) Vulnerability management (5) Fig. 2 – A systemic overview of the PCI DSS. agreement, which was made public through a Form 8-K disclosure to the SEC by TJX,113 Visa agreed that ‘‘it will suspend finds pending, but not yet imposed and collected, on Fifth Third arising from its alleged failure to ensure TJX’s compliance with Visa data security requirements or as a result of TJX’s alleged failure to be fully PCI DSS compliant by September 30, 2007 (which was Visa’s deadline for TJX’s PCI DSS compliance)..’’ TJX also obtained relief in the form of reduced interchange fees, and Fifth Third Bank would also receive the elimination of fines, including a $500,000 ‘‘Egregious Violation’’ fine.114 Incorporating PCI DSS standards into contractual provisions presents some practical legal issues for acquiring banks, merchants, and service providers who may be involved in functions affecting the payment card network. For example, to the extent a long-term contractual relationship already exists, there is a practical issue of how to invoke new obligations, which had previously not been contemplated. An acquiring bank may also face challenges from interpretational issues that may arise. Given that the acquiring bank may function for more than one payment card company, and that it has a separate contract with each company, the security practices of the bank may be subject to conflicting interpretations or commitments. Uncertainties in the requirements that payment card companies may impose may counsel against the bank undertaking a consultative role to assist customers in interpreting compliance issues. Moreover, the bank may also be subject to other obligations, such as those imposed by Gramm–Leach–Bliley, which may create additional possibilities for conflict. The absence of a single, authoritative source for these standards adds some complexity, which the PCISSC may be called upon to resolve in order to maintain an appropriate private ordering. 113 See The TJX Companies, Inc., Form 8-K, November 29, 2007, available at http://www.sec.gov/Archives/edgar/data/109198/ 000095013507007247/b67665tje8vk.htm (accessed 5/6/08). 114 See id., x 6. Another significant issue involving adoption and implementation involves the issue of small merchants. The technical expertise and costs associated with PCI DSS compliance present a formidable barrier to small businesses. Although insecure practices by these merchants may affect relatively few customers that insecurity has a potential impact on these consumers. Disclosure requirements, to the extent applicable to small businesses, would not be expected to garner the type of media attention that might otherwise inhibit card usage and thus harm the card industry. However, the threat of direct negative impacts on small businesses from their customers may nevertheless provide some incentive to enhance security, and to obtain help through third-party consultants and service providers. Ultimately, however, a cost/benefit assessment must be undertaken to evaluate whether participation in the payment card network is desirable and cost-effective for small business participants. 4.3.2. Monitoring security assessment Securing data in connection with payment card networks also requires monitoring, which is an integral part of the control activities that accompany an appropriate security framework.115 External threats and internal vulnerabilities must be addressed on an ongoing basis in order to provide adequate security.116 Accordingly, as noted above, Requirements 9 and 10 of the DSS require monitoring and testing. A practical question here involves the matter of who assesses compliance? The PCI-SSC answers this question by providing two tracks. First, it provides a mechanism for training and certifying Qualified Security Assessors (QSAs), third parties who perform on-site evaluations for purposes of 115 See Vasant Raval & Ashok Fichandia, Risks, Controls, and Security 69 (Wiley, 2007). 116 See id. at 69–70. PCI-SSC recently issued a statement on malware threats, which emphasizes the need to implement PCI DSS and to maintain full compliance in order to prevent these threats. See https://www.pcisecuritystandards.org/pdfs/04-28-08_ malware_statement.pdf (visited 5/7/08). computer law & security report 24 (2008) 540–554 553 Table 2 – Definition of merchant levels and their compliance requirements Level 1 2 3 4 Definition, based on annual volume of transactions Compliance requirements Merchants with more than six million card transactions; also may include smaller merchants from whom card data have been compromised. Merchants with between one and six million card transactions. Ecommerce Merchants with between 20,000 and one million card transactions. All other merchants. Annual on-site assessment by a certified assessment firm and quarterly network scans. monitoring and reviewing compliance with PCI DSS.117 Second, for smaller merchants and service providers who are not required to undergo an on-site assessment, it provides a self-assessment questionnaire, which is aimed at helping these organizations meet the standards.118 Self-assessment questionnaires also vary depending on the type of merchant processing system available in the business, so that appropriate questions may be tailored to meet the particular security risks in different business models.119 The training and credentialing function performed by PCISSC potentially creates greater uniformity with regard to the implementation of the data security standards. Although each of the founding payment card brands will recognize certification by a QSA, some problems of interpretation may nevertheless remain. As the PCI-SSC website recognizes, ‘‘Organizations engaging QSAs.to validate their compliance with the PCI DSS will continue to follow policies and guidelines established by the individual payment brands.’’120 Independent approaches among the various card brands are likley to generate inconsistency – and potential conflicts – in this context. 4.3.3. Costs and benefits Despite some difficult allocation issues involved in measuring the cost of compliance, quantified costs of achieving compliance are far more concrete than the measurement of value from additional security. Most value measurements are intangible, and they are critical for sustaining an organization. The industry has focused on sustaining the ability to do chargecard-based transactions, protecting customer perceptions about their security (and perceptions about the associated merchants and payment card brands), and facilitating cardbased business over the Internet, as some of the intangible values it will protect through PCI DSS. 117 For training and requirements, see https://www.pcisecurity standards.org/training/qsa_training.htm (visited 5/7/08). Training sites include international venues, such as Warsaw, Poland; Sydney, Australia; and Toronto, Canada. See id. A certification is also available for Approved Scanning Vendors (ASVs.) See https:// www.pcisecuritystandards.org/programs/asv_program.htm (visited 5/7/08). 118 See https://www.pcisecuritystandards.org/tech/saq.htm (visited 5/7/08). 119 See PCI DSS Self-Assessment Questionnaire version 1.1 (February 2008), available at https://www.pcisecuritystandards.org/ pdfs/instructions_guidelines_v1-1.pdf (visited 5/15/08). 120 See https://www.pcisecuritystandards.org/programs/ (visited 5/7/08). Annual self-assessment and quarterly network scans. Annual self-assessment and quarterly network scans. Annual self-assessment and annual network scans (often with particulars to be determined by acquiring banks). However, by limiting the extent of required compliance with PCI DSS, the industry has effectively decided to leave some customers with less protection, or perhaps no protection at all. Significantly, the cost–benefit trade-off for consumers has been made by the industry through private ordering, rather than through law. From a consumer’s perspective, this lack of protection can also be difficult to quantify. To the extent that PCI DSS compliance is not publicly disclosed by merchants, it may be impossible to know the extent of such protection in any particular case. 5. Future trends and challenges The payment card industry has grown and thrived in an environment of technological change. The problem of unauthorized transactions, which threatened not only the consumer but also industry profits, was addressed long ago by law in a consumer-friendly manner. However, the more recent problem of unauthorized disclosure of consumer payment card data continues without a solid legal resolution. Economic self-interest from within the industry has influenced the development and implementation of standards designed to enhance security through private ordering. However, threats of regulatory sanction, whether through existing channels or through expanded regulatory intervention, coupled with threats of legal liability from other sources, including tort law, have also shaped these developments. Moreover, state laws requiring disclosure of data security breaches appear to have reinforced the effectiveness of market-based incentives for additional protections to develop. The state of affairs described above is certainly in flux, as the significance of data security continues to develop in this context. There are many possible issues to be addressed, and a few of these are identified below.  Will governments continue to support the private ordering model in this context? Can an effective legal framework be crafted to address technological change and developmental threats in varying business environments?121  Would the gaps in consumer protection identified above (e.g., especially those who do business with smaller 121 See generally Vasant Raval & Ashok Fichadia, Risks, Controls, and Security 359–60 (Wiley, 2007) (contrasting prescriptive, hybrid, and minimalist approaches to digital signature laws). 554     computer law & security report 24 (2008) 540–554 merchants) be significantly improved by additional legal intervention? Who would ultimately bear those costs? Should merchants be required to disclose PCI DSS compliance to consumers? What role will emerging legal standards accord to private enforcement of security standards, such as through the imposition of liability on those who fail to protect customer data? Will PCI DSS have some role here in defining the standard of care, which ultimately forms the basis for triggering liability? Will QSAs become another target for recovery (i.e., through malpractice) in the event a breach occurs in a network they assessed? How do liability concerns for significant payment card data security breaches impact broader issues of risk assessment? In particular, how will auditors take into account risks of noncompliance in certification of financial statements? Will they defer to QSAs?  How will boards of directors and corporate executives take PCI DSS compliance into account in designing responses for securing corporate assets?  How will PCI DSS affect the security standards among other payment systems or online virtual worlds (and vice versa)?  Given global interaction among payment card systems, including service providers, will global standards for interpretation and enforcement emerge? If not, how will firms cope with competing demands? Professor Edward A. Morse (morse@creighton.edu) holds the McGrath North Mullin & Kratz endowed chair in business law at Creighton University School of Law. Dr. Vasant Raval (vraval@ creighton.edu) is Professor of Accounting at Creighton University College of Business Administration and the co-author of Risks, Controls, and Security (Wiley, 2007).
FEATURE Tackling the PCI DSS challenges James Rees James Rees PCI DSS has been a controversial subject for businesses and organisations in the western world for some time. There have been many complaints from a number of sources over the past few years over the exacting requirements that PCI DSS imposes on organisations that need to take card payments in order to sell their products. From the large global online retailers such as Amazon, to the small ecommerce companies attempting to make it in a volatile economy, all are required to comply with PCI DSS and many – unfortunately – do not understand it. Experience gained from undertaking PCI DSS consultancy in many organisations of differing sizes reveals that many are fearful of the consequences of the PCI DSS requirements and their effect on the company culture. Other organisations have shown outright hatred and apathy toward PCI DSS over the cost and the implications to their working environment. And some do not see the point of PCI DSS and avidly attempt to ‘get around’ the requirements. There have been a few that have embraced PCI as a good idea, but they are in a small minority. Most firms ultimately succeed by applying a little care and attention, as well as by translating the requirements into their own particular language. Yet the road in many cases has been long and fraught with frustration. PCI DSS in a nutshell PCI DSS has been designed to protect people’s valuable card data from being stolen and misused. No organisation wants to be the subject of a security event where card data has been stolen – the effects are devastating in terms of both fines and clear-up costs – and there are the longer-term issues of brand damage and loss of customer confidence in the organisation. Properly implemented PCI DSS compliance that is adequately maintained should January 2012 reduce the chance of a damaging security breach. Even if the worst happens and the company still has a security issue then policies and procedures will be in place to address the security event and mitigate the issue through effective countermeasures. “Most firms ultimately succeed by applying a little care and attention, as well as by translating the requirements into their own particular language” Qualified Security Assessors (QSAs) hear many arguments against PCI DSS, and a quick Google search on the matter shows that there are several common themes: • PCI DSS is too hard. • PCI DSS is too expensive. • PCI DSS is not a legal requirement so why do we have to? • Some elements of PCI DSS are ok but others are too strict. • What does ‘scope’ mean? And how do I define this? The guidelines are too vague. • PCI DSS doesn’t apply to us we are only a small company. • We agree with some of the PCI DSS requirements but not others. • Why do our third parties have to prove compliance and why does their status affect ours? • PCI DSS has no teeth, what can they do to us if we refuse? So let us analyse these statements in depth. Too hard PCI is an exacting and involved compliance model. The type of business you’re in, how you operate and how you process, store and transmit card information will have a significant effect on what items within PCI DSS you will need to undertake. For those PCI DSS requirements that you deem as not applicable in your case, as long as you can justify your reasoning as to why they are not applicable then you will be fine. PCI DSS can be as complicated or as simple as you want to make it. Yes, there will probably be some complex items to address (there always are) but don’t panic and overcomplicate matters. If in doubt, ask for help from a QSA. “You may get away with telling your acquirer or client that you are working on it, but that will only last for so long before you either get fined or lose a valuable customer” Too expensive Unfortunately, in some cases it is an inconvenient truth that achieving PCD DSS compliance is overly expensive. It can be a very expensive project to undertake: even for smaller firms with a smaller infrastructure it can be very costly to undertake the necessary remediation required to attain compliance. But bear Computer Fraud & Security 15 FEATURE in mind, too, that fines are also expensive (and are ‘dead’ money too). You may get away with telling your acquirer or client (if a service provider) that you are working on it, but that will only last for so long before you either get fined or lose a valuable customer due to your inability to prove you are compliant with PCI DSS. Look at the risks and decide if you are able to create a way to undertake business without taking or facilitating card payments – then you will not need to comply with PCI. Not a legal requirement At the moment, only a few states in the US have begun to make PCI DSS a legal requirement. In the UK there have been discussions to support it as a legal requirement, though this will probably be a long time coming. In truth, there are likely to be no legal requirements to undertake PCI DSS. However, the standard was designed to protect consumers and the banking system from card fraud. The large card brands have decided that, in order to utilise their card brands in your business, you must have a specific level of security as laid out and communicated in the PCI DSS compliance model. This is supported by all the major banking institutions and thus, in order to do business with the banks and the card brands, it is a contractual requirement to comply with PCI DSS. The lack of any legal requirement therefore becomes moot if you can’t do business without being PCI DSS compliant. “Scoping is the one part of PCI DSS that QSAs universally agree must be correctly undertaken at the start of the project” Some elements too strict Even QSAs will admit that PCI DSS is a very strict compliance model. 16 Computer Fraud & Security However, it does make good sense, and it does address a number of security concerns that information security people have been concerned about for some time. In today’s world the use of cold hard cash is rapidly diminishing in the developed world. Using cards to pay for goods is easier, quicker and universally accepted with the minimum of fuss – it is the way the global marketplace is going and there is no stopping it. The strict nature of PCI DSS is there to protect people, businesses and the financial institutions from fraud. Card fraud in the modern world is a massive criminal business revenue stream and something has to be done about it. “Without a correctly undertaken and regularly reviewed scope, complying with PCI DSS will be extremely difficult” Guidelines too vague The PCI DSS guidelines are specific in their requirements and how scoping works. It should be recognised however that scoping, in particular, is a fine art in itself. If you or people within your organisation feel that the guidelines are too vague, it is a clear signal that the organisation needs to have some form of professional support from a QSA and/or Internal Security Assessor (ISA). Scoping is the one part of PCI DSS that QSA’s universally agree must be correctly undertaken at the start of the PCI DSS project. Without a correctly undertaken and regularly reviewed scope, complying with PCI DSS will be extremely difficult. The golden rule for PCI DSS is always ‘get the scope right’. The key rules of scoping are: • If a system, service or location stores, transmits or processes card payments then it is clearly in line for PCI DSS compliance. • If a system, service or location connects directly to another system or service that stores, transmits or processes card payments then it is also clearly in line for PCI DSS compliance. • If a system or service indirectly connects to a system, service or location that stores, transmits or processes card payments then it is potentially in line for PCI DSS compliance, depending on the indirect connection. Getting the scope correct in any PCI DSS project is the most important part of the process; if this is not done correctly it can have a seriously detrimental effect on the compliance process as a whole. Only a small company Unfortunately, even if you are a very small firm, if you take card payments from clients – be it just one, or a few million – you are required to comply with PCI DSS. There are no distinctions in PCI DSS for large companies or small companies. If you take card payments then you are required to comply even if it is only one card payment. You are contractually obliged with the bank and the card brands through the merchant ID contractual agreement. “Spend time selecting the right QSA for your organisation. Some are more experienced than others and opinions and interpretations of PCI DSS can differ” Agreeing with some requirements This is something that happens a lot – organisations don’t see the value of some parts or a small section of the PCI DSS requirements. Thus occasionally you will see or hear the opinion that they need to worry only about those parts of PCI DSS with which they agree. Unfortunately PCI DSS requires that all of the requirements applicable to the organisation seeking compliance must be met. You cannot pass PCI DSS without January 2012 FEATURE all components applicable to the organisation being in place. Third parties Under PCI DSS it is perfectly acceptable to engage third-party organisations to undertake card payment facilities on the organisation’s behalf. However, be warned that all third parties involved in the process will need to prove their compliance via the availability of an Attestation of Compliance (AoC). “Companies that have been fined are usually very secretive about those fines. They will also keep the news of the breach as quiet as possible as to prevent brand damage” PCI DSS compliance is the responsibility of the merchant, which also needs to ensure that all service providers can prove compliance. Failure to do so will mean that the merchant cannot comply with PCI DSS and thus will not be considered to be PCI DSS compliant. What can they do to us? Rest assured, PCI DSS has some serious teeth on the part of the card brands and the banks. The acquiring banks reserve the right to fine, increase the cost per transaction or, as an ultimate sanction, refuse entirely to allow a merchant to take card payments. “PCI DSS does not have to be difficult. Yes, it has components that are often challenging to achieve, but in reality PCI DSS should be a part of normal business procedures, not an independent requirement” Companies that have been fined are usually very secretive about those fines. They will also keep news of the breach as quiet as possible as to prevent brand January 2012 damage. No company wants to be plastered all over the media with stories of losing people’s confidential data. So, just because you haven’t heard much about firms suffering as a result of non-compliance, don’t assume it isn’t happening. Key factors for compliance So let’s review the things to be aware of when seeking to become PCI DSS compliant. Get your PCI DSS scope right, this is the most important part of any PCI DSS project bar none – you must get this correct. Third parties being brought into outsource parts of the PCI DSS scope should be carefully checked before being brought on board. Many will say they are PCI DSS compliant – unfortunately many are not. Ensure you request a copy of the AoC before you engage their services. PCI DSS has to be maintained. Do not complete the project and forget about the requirements until the next year. Review and maintain PCI DSS over the whole year. Identify and address any issues as and when they occur – do not leave them for later. PCI DSS does not have to be difficult. Yes, it has components that are often challenging to achieve, but in reality PCI DSS should be a part of normal business procedures, not an independent requirement. Almost all of the security requirements contained within the compliance model are considered to be best practice. If you are a service provider or merchant taking card payments, you will need to prove PCI DSS compliance. Do not try to get around it – you will not succeed. Many have tried and many have failed. Significant changes to the network infrastructure require retesting of vulnerability scanning, scans by an Approved Scanning Vendor (ASV) and penetration testing. Most of these can be done in- house but the person conducting them must be trained. A QSA will check during an audit: failure to provide these will result in a fail. You are required to have a knowledgeable and trained member of staff with regards to information security. This means they must have experience in dealing with information security (not IT security, which is only a small part of the picture). This role can be outsourced if need be, but the organisation seeking to become PCI DSS compliant must have access to this skillset in some fashion. “If you are required to have a QSA review and sign off your PCI DSS compliance, spend time selecting the right QSA for your organisation” If you are required to have a QSA review and sign off your PCI DSS compliance, spend time selecting the right QSA for your organisation. Some are more experienced than others and opinions and interpretations of PCI DSS can differ. Select your QSA wisely. In addition, most QSAs in the UK will cost you about £1,000 per day. Be prepared to pay a premium for the services of a good QSA. There are some that offer services at a much lower cost but experience has proved that these QSA companies are not particularly helpful. Don’t forget, it is commonly the fact that you get what you pay for. Spend time finding the right QSA as you will be working with them extensively. About the author James Rees is the chief information security officer of Razor Thorn Security (www.razorthorn.co.uk), specialising in PCI DSS, risk management and cyberwarfare. He has consulted and been an advisor on information security for some of the largest and most complex organisations in the world. Computer Fraud & Security 17

Tutor Answer

chemtai
School: UIUC

please find the attached file. i look forward to working with you again. good bye

Running head: PAYMENT STANDARDS

1

Payment standards-payment card industry data security standards
Name
Tutor
Institution
Course
Date

PAYMENT STANDARDS

2

Payment standards-Payment Card Industry Data Security Standard
Abstract
The introduction part of this paper is an insight definition of PCIDSS and spells out the
reason for the introduction of the standard. The paper dwells in depth on the importance of
PCIDSS which include boosting the confidence of customers for their companies, helping
companies to evade issues like lawsuits due to guaranteed security standards, reduction of
breaching cases for the member companies thus the retention of clients’ information and also
client protection. The growth and transactions of PCIDSS are analyzed and presented in a graph
that covers the transaction type and the growth in percentage. Security risks of the compliance
are also looked at and they include aspects like the incurring of non-compliance fee and fines.
The challenges of PCIDSS are also looked at from the perspective of the compliant
organizations.
Key words: qualified security assessor (QSA); compliance and internal security assessor
(ISA).

PAYMENT STANDARDS

3
Introduction

Payment card industry data security standard (PCIDSS) is a standardized information
security for companies that deal with securing credit card from big cars agencies. The main
reason why PCIDSS was created to prevent most cases associated with credit card frauds that are
experienced and reported almost on a daily basis. The frauds are experienced because of
inappropriate...

flag Report DMCA
Review

Anonymous
Awesome! Exactly what I wanted.

Similar Questions
Hot Questions
Related Tags

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors