Increasingly, companies are raising questions about PCI-DSS and its applicability to their businesses. This Legal Alert summarizes the basic aspects of PCI-DSS and its application.

What is PCI DSS?

The Payment Card Industry Data Security Standard—or PCI DSS—sets out the minimum data protection measures required of all entities involved in payment card processing. The Payment Card Industry Security Standards Council (the PCI Security Standards Council) maintains the PCI DSS as part of its mission to improve payment account data security by encouraging the adoption of consistent data security measures. The PCI Security Standards Council is led by a policy-setting Executive Committee, composed of representatives of the Council’s five founding members – American Express, Discover, JCB International, MasterCard and Visa. Each founding member has agreed to incorporate the PCI DSS requirements into its data security compliance programs.

What are the PCI DSS requirements?

The PCI DSS consists of 12 basic requirements:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.

The full text of the PCI DSS describes each requirement in depth. The PCI DSS also provides testing procedures and guidance for each requirement. The PCI DSS can be accessed at www.pcisecuritystandards.org. 

Note that the PCI Security Standards Council does not enforce compliance with the PCI DSS. The individual payment brands, and not the Council, determine any non-compliance penalties.

Who is affected by PCI DSS?

All entities involved in payment card processing are affected by the PCI DSS. These entities include merchants, processors, acquirers, issuers and service providers. The requirements also extend to all entities that store, process or transmit cardholder data or sensitive authentication data. The PCI DSS does not allow exemptions based on size or transaction volume. Even small merchants are required to comply with the PCI DSS if they accept payment cards or otherwise are involved in payment card processing.

Does PCI DSS apply to me if I don’t actually handle payment card data?

Merchants may be held responsible by their acquirers or payment brands in the event of an account data breach, even if they never store, process or transmit cardholder data. Merchants that outsource payment card handling to third parties are still covered by Section 12.8 of the PCI DSS, which requires that these types of merchants actively ensure that third-party service providers are PCI DSS compliant.

Since PCI DSS is an industry standard and not a legal requirement, isn’t compliance optional?

Although the PCI DSS is not itself a legal requirement, merchants typically are contractually obligated to comply. Many agreements, such as card processing agreements, expressly obligate the merchant to comply with either the PCI DSS or card network rules, which incorporate PCI DSS.

In addition, several states have begun to incorporate the PCI DSS into data security statutes, including Minnesota, Nevada and Washington. For example, the Minnesota Plastic Security Card Act implements a modified version of the PCI DSS requirement forbidding entities to store certain data after the authorization of a transaction (MINN. STAT. § 325E.64). Nevada law requires that any data collectors doing business in the state comply with the current version of the PCI DSS if such data collector accepts payment via payment card in connection with the sale of goods or services (NEV. REV. STAT. § 603A.215).

Finally, merchants in compliance with the PCI DSS have a valuable defense in the event of a data breach because PCI DSS compliance, as the industry standard, is an indication of reasonable care. In Washington state, this presumption is explicitly stated. A processor, business or vendor is not liable for a data breach if it was certified as compliant with the PCI DSS at the time of the breach (WASH. REV. CODE § 19.255.020).

What are the consequences of not complying with the PCI DSS?

Individual payment brands enforce the PCI DSS requirements against the participants in their networks. The consequences of non-compliance vary but may include fees and fines, economic remedies such as chargebacks, and even termination of network participation. Failure to be PCI DSS compliant also can be evidence of a party’s lack of reasonable care, thus supporting the claims of other parties that are seeking to allocate responsibility for a data breach to the non-compliant party.