PCI DSS Compliance: Accepting Credit Cards and Avoiding Data Breach Liability
Today, President Obama met with top credit card executives regarding protections for cardholders. Small businesses hope that customers can keep paying with plastic, but also need to consider data safety when accepting payment. In addition to the Payment Card Industry Data Security Standard (PCI DSS) applicable to all who accept credit cards, Minnesota has enacted, and more states are considering laws making retailers liable to financial institutions for data security foul-ups. Now more than ever is a good time to make sure your business is PCI DSS compliant.
The President today called for an end to credit card practices including the abuse of sudden interest rate increases and fee changes. Obama also called for an end to the barrage of fine print and confusing rules in credit card agreements. As Bloomberg reports, he said, "[w]e want clarity and transparency from here on out."
One point on which small businesses should be clear is the need for PCI DSS compliance. If potentially losing the ability to accept card payments isn't enough of a threat, states are increasingly looking to punish merchants who don't comply with good payment data management practices.
PCI DSS is a data security standard created by the Payment Card Industry Security Standards Council, which was founded by the five largest credit card companies. There are twelve requirements to be PCI DSS compliant:
- Install and maintain a firewall configuration to protect cardholder data;
- Do not use vendor-supplied defaults for system passwords and other security parameters;
- Protect stored cardholder data;
- Encrypt transmission of cardholder data across open, public networks;
- Use and regularly update anti-virus software;
- Develop and maintain secure systems and applications;
- Restrict access to cardholder data by business need-to-know;
- Assign a unique ID to each person with computer access;
- Restrict physical access to cardholder data;
- Track and monitor all access to network resources and cardholder data;
- Regularly test security systems and processes; and
- Maintain a policy that addresses information security.
The PCI Security Standards Council's website offers a wealth of information about compliance, including this document giving detail on each of the twelve rules. They offer a prioritized approach that can help businesses more effectively mitigate risks on the road to compliance.
The need for PCI DSS compliance is not new, but state laws specifically punishing merchants with loose data management are new. Minnesota enacted a law allowing financial institutions to sue merchants in certain instances where data is stolen from the merchant. In theory, this is to allow for recovery of costs incurred by the financial institution, such as card cancellation, issuance of a new card, etc. Other states, including Texas, Washington, New Jersey and Connecticut are currently considering different variants of similar legislation.
The good news is that Minnesota's law, as well that those looming in other states, basically codifies elements of the PCI standards. This means that ensuring PCI DSS compliance will likely mean safety under the state laws.
- Getting Started with PCIS Security Standards (PCI Security Standards Council)
- Seize PCI Compliance Opportunities (Business Solutions)
- Why Most PCI Self-Assessments Are Wrong (Storefront Backtalk)
- Hackers Test Limits of Credit Card Security Standards (Washington Post's Security Fix)
- Identity Theft (provided by the Schwartz Law Firm)