Unlike many security laws, Payment Card Industry Data Security Standard (PCI DSS) Standard rules are not actual statutes or regulations and therefore not subject to government enforcement. That being said, PCI DSS compliance does have significant legal implications for any business that handles cardholder data.
That’s precisely why Elaine Harwell, senior privacy and cybersecurity counsel from San Diego’s Procopio law firm, spoke at RSI Security’s recent PCI Expert Summit. In just its second year, the PCI Expert Summit brought together some of the brightest minds in cybersecurity, technology and compliance — in a virtual format.
Elaine presented an engaging session on what any business that handles, transmits or stores cardholder data needs to know about PCI compliance from a legal perspective. She gave an overview of the legal foundations of the framework, how PCI interacts with existing legal frameworks and how your legal team should be involved with compliance efforts.
Legal Foundations and Contractual Relationships
Harwell kicked things off with an overview of the legal groundings of PCI that all organizations should familiarize themselves with. It’s important to understand that PCI DSS is an information security standard, not a law. That being said, PCI DSS in many ways operates similar to codified law, but without courts or regulators involved.
Elaine also explained that PCI DSS applies to merchants in two primary ways from a legal perspective. First, PCI compliance functions as part of the contractual relationship between merchants and customers. Second, state governments may also choose to write portions of PCI DSS into state law, which then become legally required mandates.
Merchants, as service providers, conduct the storage, processing and transmittal of cardholder data. However, the direct duty for PCI compliance typically falls upon the bank or payment facilitator. A merchant’s scope of risk is determined by upstream contracts with merchant banks and their ability to impose contractual requirements on downstream service providers
How PCI Interacts with Existing Legal Frameworks
Next, Harwell covered the relationship between PCI DSS, existing legal frameworks and U.S. Federal law. At present, Federal law doesn’t explicitly incorporate PCI DSS requirements into either case or statutory law. However, other Federal laws do exist that apply to the treatment of payment card data, so there is some overlap between Federal and PCI requirements.
Some of the current Federal laws that contain PCI DSS related security requirements are:
- The Gramm-Leach-Bliley Act
- The Fair Credit Reporting Act
- Section Five of the Federal Trade Commission (FTC) Act
- The Fair and Accurate Credit Transactions Act (FACTA)
As far as states are concerned, some have incorporated all — or parts of — PCI DSS into state law. Some states have even enacted statutes prohibiting retention of certain cardholder and credit card data. Many states have also enacted laws requiring business to take extra caution in protecting sensitive personal or financial data. This includes data breach notification statutes or laws requiring data security safeguards.
Litigation, Enforcement and Legal Team Involvement
Elaine then informed attendees about the various types of litigation and enforcement that exist around PCI DSS. Consumer litigation has and does exist in the form of cardholders suing over cardholder data breaches. And while historically these class action lawsuits have had difficulty establishing legal grounds for harm, this is currently changing under the current court system.
Regulatory enforcement exists primarily in the form of the Federal Trade Commission (FTC) charging merchants or facilitators with failure to provide reasonable security measures under Section Five of the FTC Act. Finally, litigation also takes place against issuing banks for breach of contract and/or negligence should there be a data breach and the bank is found to not be PCI compliant.
When it comes to your company’s legal team involvement in PCI DSS compliance, legal can actually help the security team understand how the legal system will scrutinize and judge the activities and decisions made in compliance. Some of the activities and documents of a merchant’s internal and external security team may be shielded by using attorney-client privilege or attorney work product doctrine.
Most of the legal risk in PCI compliance is contractual, and legal can help reduce or limit risks by drafting appropriate contracts and explaining exposures.
One of the biggest takeaways from Elaine’s session at the first ever virtual PCI Expert Summit is that PCI DSS is a security standard that has become de facto law. This is due to the adoption of many PCI standards by states, exposure to litigation for non-compliance and potential Federal regulatory involvement under statutes like the FTC Act.
She recommends that all organizations consider how security and compliance decisions may be viewed in a court of law. This requires for infosec, executive, legal and IT teams to work in a collaborative way. When your entire company — led by security and legal teams — addresses PCI compliance in a holistic way, it can ensure both ongoing compliance and minimization of legal risk.