Beruflich Dokumente
Kultur Dokumente
The materials contained herein represent the opinions of the authors and editors and should not be
construed to be the action of the American Bar Association, Section of Science & Technology Law or the
Center for Continuing Legal Education unless adopted pursuant to the bylaws of the Association.
Nothing contained in this book is to be considered as the rendering of legal advice for specific cases, and
readers are responsible for obtaining such advice from their own legal counsel. This book and any forms
and agreements herein are intended for educational and informational purposes only.
This publication accompanies the audio program entitled “The Legal Implications and Risks of the
Payment Card Industry (PCI) Data Security Standard” broadcast on April 29, 2008 (Event code:
CET8LIP).
Discuss This Course Online
Visit http:/www.abanet.org/cle/discuss to access the discussion board for this program.
Discussion boards are organized by the date of the original program,
which you can locate on the preceding page of these materials.
The Legal Implications and Risks of
the Payment Card Industry Data
Security Standard
Our Panelists
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
1
3
Roadmap
PCI Background
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
What is PCI?
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
2
5
2. Do not use vendor-supplied defaults for system passwords and other security parameters
10. Track and monitor all access to network resources and cardholder data
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
vs.
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
3
7
PCI Standard
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
4
9
Merchant Levels
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
10
Assessment Actions
Level Assessment Actions Validated By
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
5
11
Validation Dates
Date Applies to
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
12
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
6
13
Merchant Bank (e.g. Chase, Citibank, 5th Third Bank, credit unions)
Merchant (e.g. any company that accepts payment cards for transactions)
Service Provider (e.g. any company that processes, transmits or stores payment card data)
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
14
No Direct Duty for Service Providers to Comply with PCI or Security Programs
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
7
15
Servers in 300 stores across 3 states compromised at Point of Sale terminal – appears that
the data was not encrypted on internal networks or prior to transmitting for processing
December 7, 2007-- Data breach first began on – privacy policy stated PCI Compliant at the
time
April 22. 2008 – Hannaford reports plans to spend millions on security, including
encryption of all card numbers during the entire time they are within the supermarket
chain's data network and intrusion detection
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
16
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
8
17
“Compensating controls”
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
18
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
9
19
Looser – “unreasonable”
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
20
Resolving Ambiguities
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
10
21
QSA shopping
Rubber-stamping
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
22
T.J. Hooper?
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
11
23
How were ambiguities resolved? (e.g. PCI Council, payment card brand,
acquiring bank, business considerations, e-mails, etc.)
How was the process approached? (e.g. QSA shopping, rubber stamping,
check box mentality, proper personnel, etc.)
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
24
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
12
25
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
26
Loose interpretation: contract language indicates that the service provider agrees that it
must adhere to the PCI Standard, but the merchant has discovered that the service provider
has some controls that need to be implemented to achieve full PCI compliance and
imposes a deadline after the effective date of the contract to achieve such compliance in
the future. Under this interpretation a merchant complies with 12.8.1 as long as the service
provider contractually promises to adhere to the PCI Standard during the contract term by a
certain reasonable date, even if not compliant at the inception of the contract.
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
13
27
PCI Compliant, but not reasonable security (PCI Standard itself is weak)
Hannaford did not follow its PCI policies and procedures after PCI compliance
assessed
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
28
What to do?
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
14
29
What to do?
From a legal standpoint?
Contractually
Assess Upstream; Impose Downstream
Develop a service provider contracting strategy (current and future
vendors)
Incorporate “waivers” into the contract
Liability Mitigation
Reach out to the security team and get involved at the start (A.C.T.
awareness, communication, translation)
Use attorney-client privilege (e.g. remediation work)
Adverse admissions – look out for the creation of a paper trail (e.g.
audits, letters to merchant banks, etc.)
Strict compliance (and if not, anticipate litigation issues)
Get it in writing and have it confirmed by relevant stakeholders
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
30
Questions?
The Legal Implications and Risks of the Payment Card Industry Data Security Standard
15