Out-Law / Your Daily Need-To-Know

How safe is your customer's card data?

Out-Law Guide | 21 Jan 2011 | 4:44 pm | 5 min. read

This guide was written in January 2011. It is based on UK law.

OPINION: Gambling firms risk fines, reputational damage and restrictions on processing cardholder data if they, or their suppliers, don’t comply with industry standards on storing payment card details.

"Card data thefts hurt companies in ways they cannot imagine and if a brand name is damaged, then confidence is destroyed and consumers lose trust."  This was the chilling statement by Visa Europe to the Combating Cybercrime at the Betting and Gaming conference in London three years ago.  The same is true today.

Visa Europe's statement highlights that the storage and proper use of payment card information received from customers (either over the phone or the internet) is one of the biggest but least understood commercial risks for online retailers and businesses in the gambling industry.

Over the last five years, there have been a plethora of cases in which credit or debit card information was lost or stolen resulting in fines, sanctions by the card schemes, and damage to business reputation.

As an example, 45 million credit and debit card numbers were stolen from TJX, owners of TJ Maxx, when a computer hacker broke into the TJ Maxx wireless network and stole unencrypted credit card numbers.  TJ Maxx failed to encrypt or truncate the card numbers and the loss to TJX is estimated to be between £328 million for card scheme fines, law suits, costs and management time and £1 billion in terms of loss of business and reputational damage.

TJX data theft should serve as a wakeup call to all retailers who risk losing money and credibility when they fail to protect sensitive cardholder data.

What are the requirements?

The main standard related to storing payment card data is the Payment Card Industry Data Security Standard (PCI DSS).  This sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions. 

PCI DSS is an industry standard set up by major payment card brands through the PCI Security Standard Council (PCI SSC).  The members of this Council include American Express, Visa Inc, JCB International, MasterCard Worldwide and Discover Financial Services. 

PCI DSS applies to every organisation (including banks and merchants that accept payment cards) which is involved in the flow of cardholder data through the life of a transaction eg from collection of the data through to processing and storage, and includes all third party service providers which fall within this definition.

Third party contracts

A gambling firm or other online retailer is responsible under PCI DSS for ensuring that all third party service providers who transmit or process its customers' cardholder data are PCI DSS compliant.

Contracts which are likely to be affected by PCI DSS are contracts which a business has with:

  • payment service providers;
  • payment processing bureaux;
  • data storage providers;
  • web hosting providers;
  • shopping cart providers;
  • software vendors;
  • miscellaneous third party agents, including any outsourcing contracts for card printing or card statement printing.

Gambling firms should ensure that any relevant agreement with a third party supplier includes an obligation that the supplier is PCI DSS compliant as well as a right to require documentation from the supplier confirming that it has been certified as PCI DSS compliant.  Businesses should also be indemnified by the supplier if any action of the supplier causes the firm to be liable for any fines, damages or losses.  This indemnity should be uncapped as PCI DSS fines can be very large.  (These fines are not criminal sanctions, so an indemnity can be effective.)

Gambling firms should also try to negotiate a right to terminate its agreement with a third party supplier if there is an incident which damages the reputation of the gambling firm such as loss of data, or if the third party supplier's PCI DSS certification is suspended or revoked.  A right to terminate the agreement for a change of control of the third party supplier is also advisable so the gambling firm is not forced to contract with a entity which is not PCI DSS compliant or which may cause it reputational damage.

Also, a PCI DSS compliant third party supplier may have the right to subcontract material services provided to businesses and its subcontractor may not be compliant.  A gambling firm should require a right to approve all material subcontractors and ensure the third party provider is responsible for any breaches by its subcontractors and indemnifies the gambling firm for any loss caused by a breach by the subcontractor.

Telephone recording

One of the common mistakes made by retailers including gambling firms in relation to PCI DSS is to not delete call centre recordings which refer to a customer's payment card data.  In 2009, a Symentec call centre agent in India stole credit card details of several UK customers and offered to sell them to a BBC reporter, and in February 2010 an HBOS call centre worker stole £250,000 from customers.  It is estimated that more than 95% of UK call centres which store recordings of transactional conversations with their customers do not delete or mask the credit card details. 

For telephone transactions which record payment card data, any form of digital audio recording for storing CAV2, CVC2, CVV or CID security numbers after authorisation is prohibited by PCI DSS.  The advice from PCI SSC is to enable technology that prevents recording of this sensitive authorisation data.  The only exception to this guidance is that sensitive authentication data which cannot be data mined or retrieved can be stored after authorisation but in all cases, it should be deleted or removed from any digital recording system if possible.  The best approach is to prevent call centre agents from hearing card details at all, and to prevent the card details from being recorded.

What are the consequences for not being compliant with PCI DSS?

While the enforcement schemes for PCI DSS violations vary slightly between payment schemes, generally they comprise 2 main threads: (1) the service provider and/or the customer will be fined; and (2) restrictions will be imposed on the service provider which will hinder its ability to process cardholder data in the future.

For example, in March 2009 RBS Worldpay was removed by Visa from its list of compliant companies after a data breach resulted in the loss of 1.5 million prepaid and gift card numbers. RBS was restored to the list in May 2009 after rectifying the problem.

Under Visa's current enforcement scheme, a non-compliant service provider or non-compliant customer could expect to be fined a one-off penalty of at least £10,000.  Continued non-compliance is likely to give rise to monthly fines of approximately £5,000-£15,000.  Card schemes can also charge for the cost of investigations, the cost of data restoration and other fees.  According to Visa, the average cost of a card number data breach is £7.4 million.

Proper use and storage of customer's card data is therefore now a fundamental requirement for any gambling firm or other online retailer in the UK.

Contact

Tom Brown

Based in: Leeds

Email: [email protected]

Telephone: +44 (0) 113 294 5177