Inside: The GC’s role in ensuring compliance in the payment card processing environment
As the rate of data breaches and cyber-attacks continues to rise, it remains imperative for general counsel to understand the risk landscape of payment card processing systems and to create a plan to mitigate such risks in the future.
March 10, 2014 at 04:00 AM
12 minute read
The original version of this story was published on Law.com
In 2013, a number of high-profile data breaches involving major retailers such as Target and Neiman Marcus placed an unwanted spotlight on the vulnerability and insecurity of debit and credit card point of sale (POS) systems. The legacy mag-stripe payment card system, on which so many consumers and merchants rely, is long overdue for improvements that would increase security and decrease vulnerability. Such updates may come in the form of new technologies and emerging payment systems that offer more efficient and secure transaction methods.
While a discussion of alternative or emerging payment systems is beyond the scope of this article, a comprehensive understanding of the current payment card processing system will prove useful, and timely, for the general counsel who wants to take ownership of compliance and risk in this area. To rely on IT alone fails to leverage the value and necessity of a partnership with in-house counsel that would ensure proper compliance, and ignores a significant and potentially expensive risk regarding the management and security of customer data.
Compliance with the Payment Card Industry Data Security Standard (PCI-DSS) requires the same scrutiny and vigilance as any other corporate or data governance matter and, coming off the heels of 2013, which PC World labeled “The Year of the Personal Data Breach,” consumer awareness and concern has reached a an all-time high.
The purpose of this article is to help in-house counsel understand the risk landscape inherent in legacy payment card processing systems and develop a strategy to mitigate such risks.
Who are the people in your payment card ecosystem?
In brief, payment card networks provide the “rails” that link together merchants who accept payments via credit and debit card to customers, third party payment processors, merchant acquirers and depository institutions. The American Express and Discover card networks are unique in that they connect merchants and consumers directly. In contrast, Visa and MasterCard follow a slightly different process; they maintain relationships directly with financial institutions that are also part of the payment card ecosystem.
Banks that provide customers with cards to use for purchases are referred to as “issuing banks,” while banks that partner with merchants to offer payment card services are called “acquiring banks.”
There are also entities that act as agents for merchants and acquiring banks for purposes of processing payments called “third party payment processors” (TPPPs). First Data, Global Payments, Fifth Third and BA Merchant Services are all examples of TPPPs.
Together these entities form the payment card ecosystem and each have varying degrees of exposure and risk regarding the compromise of cardholder information.
Who is responsible for the PCI-DSS?
In 2004, the major credit card companies established the PCI-DSS in order to assure that all parties were equally committed to the security of the payment card ecosystem and to bolster consumer confidence by requiring merchants and processors to adopt the same types of data protections required by law for financial institutions.
In September 2006, the five major card associations formed the Payment Card Industry Security Standards Council (PCI-SSC) for purposes of managing the PCI-DSS and providing a governing organization that would continuously refine the standard. Among other things, the PCI-SCC establishes the technical standards and audit procedures for the payment brands, provides lists of designated qualified security solution providers and establishes the criteria for certification of Qualified Security Assessors (QSA). QSAs are the only source of PCI-DSS compliance certification recognized by the PCI-SCC.
What is required of merchants under PCI-DSS?
There are 12 basic features to PCI-DSS, all of which contain detailed requirements for merchants to accept payment card transactions. Each member of the ecosystem is incentivized to ensure compliance at each end of the payment transaction. The requirements can be grouped into six broad directives:
- Build and maintain a secure network;
- Protect card holder data;
- Maintain a vulnerability management program;
- Implement strong access control measures;
- Regularly monitor and test networks; and
- Maintain an information security policy.
Additionally, compliance requirements are contemplate “merchant levels” that are determined each merchant's transactional volume.
What is the GC's role in PCI-DSS compliance?
- Communicate the risk and consequence of failure to comply with the appropriate PCI-DSS levels to the appropriate members of the corporate governance infrastructure. Compliance with PCI-DSS necessitates the hiring of internal and external experts, the constant attention to technological developments in payment system technologies and, above all, requires the appropriate level of capital investment to maintain compliant systems. The consequences of failure could mean the inability to accept payment by credit or debit card. A data breach involving cardholder data could expose the breaching party to significant fines as a result of the exposure created throughout the payment ecosystem to the other participants.
- Conduct a thorough review and evaluation of the organization's PCI-DSS compliance at regular intervals to ensure that compliance processes and policies are current and accurate for the organization.
- Collaborate continuously with other members of the company's payment card ecosystem to review existing threats and potential vulnerabilities that could impact the payment system. Understanding the risk landscape will enable general counsel to communicate and educate others in your organization about potential risks and will facilitate adequate preparation and defense.
- Frequently review PCI-DSS documentation and updates to ensure that the company's compliance practices are current and regularly conduct assessments of third party compliance so that risks are quickly identified and mitigated. Be mindful of internal changes, such as a turnover in IT personnel, which can result in gaps in oversight.
- Carefully review agreements with acquiring banks and merchant service providers to understand the contractual requirements and obligations placed upon the company. The third party payment processing market is rapidly growing as the payments industry evolves in response to new technologies and changing consumer demands. General counsel can be essential in negotiating favorable terms and rates when they understand the fee structures in processing agreements.
Conclusion
As the rate of data breaches and cyber-attacks continues to rise, it remains imperative for general counsel to understand the risk landscape of payment card processing systems and to create a plan to mitigate such risks in the future.
In 2013, a number of high-profile data breaches involving major retailers such as Target and
While a discussion of alternative or emerging payment systems is beyond the scope of this article, a comprehensive understanding of the current payment card processing system will prove useful, and timely, for the general counsel who wants to take ownership of compliance and risk in this area. To rely on IT alone fails to leverage the value and necessity of a partnership with in-house counsel that would ensure proper compliance, and ignores a significant and potentially expensive risk regarding the management and security of customer data.
Compliance with the Payment Card Industry Data Security Standard (PCI-DSS) requires the same scrutiny and vigilance as any other corporate or data governance matter and, coming off the heels of 2013, which PC World labeled “The Year of the Personal Data Breach,” consumer awareness and concern has reached a an all-time high.
The purpose of this article is to help in-house counsel understand the risk landscape inherent in legacy payment card processing systems and develop a strategy to mitigate such risks.
Who are the people in your payment card ecosystem?
In brief, payment card networks provide the “rails” that link together merchants who accept payments via credit and debit card to customers, third party payment processors, merchant acquirers and depository institutions. The
Banks that provide customers with cards to use for purchases are referred to as “issuing banks,” while banks that partner with merchants to offer payment card services are called “acquiring banks.”
There are also entities that act as agents for merchants and acquiring banks for purposes of processing payments called “third party payment processors” (TPPPs). First Data, Global Payments, Fifth Third and BA Merchant Services are all examples of TPPPs.
Together these entities form the payment card ecosystem and each have varying degrees of exposure and risk regarding the compromise of cardholder information.
Who is responsible for the PCI-DSS?
In 2004, the major credit card companies established the PCI-DSS in order to assure that all parties were equally committed to the security of the payment card ecosystem and to bolster consumer confidence by requiring merchants and processors to adopt the same types of data protections required by law for financial institutions.
In September 2006, the five major card associations formed the Payment Card Industry Security Standards Council (PCI-SSC) for purposes of managing the PCI-DSS and providing a governing organization that would continuously refine the standard. Among other things, the PCI-SCC establishes the technical standards and audit procedures for the payment brands, provides lists of designated qualified security solution providers and establishes the criteria for certification of Qualified Security Assessors (QSA). QSAs are the only source of PCI-DSS compliance certification recognized by the PCI-SCC.
What is required of merchants under PCI-DSS?
There are 12 basic features to PCI-DSS, all of which contain detailed requirements for merchants to accept payment card transactions. Each member of the ecosystem is incentivized to ensure compliance at each end of the payment transaction. The requirements can be grouped into six broad directives:
- Build and maintain a secure network;
- Protect card holder data;
- Maintain a vulnerability management program;
- Implement strong access control measures;
- Regularly monitor and test networks; and
- Maintain an information security policy.
Additionally, compliance requirements are contemplate “merchant levels” that are determined each merchant's transactional volume.
What is the GC's role in PCI-DSS compliance?
- Communicate the risk and consequence of failure to comply with the appropriate PCI-DSS levels to the appropriate members of the corporate governance infrastructure. Compliance with PCI-DSS necessitates the hiring of internal and external experts, the constant attention to technological developments in payment system technologies and, above all, requires the appropriate level of capital investment to maintain compliant systems. The consequences of failure could mean the inability to accept payment by credit or debit card. A data breach involving cardholder data could expose the breaching party to significant fines as a result of the exposure created throughout the payment ecosystem to the other participants.
- Conduct a thorough review and evaluation of the organization's PCI-DSS compliance at regular intervals to ensure that compliance processes and policies are current and accurate for the organization.
- Collaborate continuously with other members of the company's payment card ecosystem to review existing threats and potential vulnerabilities that could impact the payment system. Understanding the risk landscape will enable general counsel to communicate and educate others in your organization about potential risks and will facilitate adequate preparation and defense.
- Frequently review PCI-DSS documentation and updates to ensure that the company's compliance practices are current and regularly conduct assessments of third party compliance so that risks are quickly identified and mitigated. Be mindful of internal changes, such as a turnover in IT personnel, which can result in gaps in oversight.
- Carefully review agreements with acquiring banks and merchant service providers to understand the contractual requirements and obligations placed upon the company. The third party payment processing market is rapidly growing as the payments industry evolves in response to new technologies and changing consumer demands. General counsel can be essential in negotiating favorable terms and rates when they understand the fee structures in processing agreements.
Conclusion
As the rate of data breaches and cyber-attacks continues to rise, it remains imperative for general counsel to understand the risk landscape of payment card processing systems and to create a plan to mitigate such risks in the future.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllUS Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Pre-Internet High Court Ruling Hobbling Efforts to Keep Tech Giants from Using Below-Cost Pricing to Bury Rivals
6 minute readPreparing for 2025: Anticipated Policy Changes Affecting U.S. Businesses Under the Trump Administration
Senate Panel Postpones Vote on Reconfirmation of Democrat Crenshaw to SEC
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250