Out-Law News 2 min. read

Data protection 'quandary' for retailers in proposed PCI DSS update timetable, says expert

UPDATED:  Retailers should start planning early to adhere to an updated standard on the secure storage of payment card information, an expert has said.

The Payment Card Industry Security Standards Council (PCI SSC) has outlined proposed updates to its data security standards (PCI DSS) framework (11-page / 336KB PDF) and has set out a broad timetable for when retailers will have to comply with the new rules.

Under that broad timetable there would be a six month period during which the old PCI DSS regime, version 2, would cease to be applicable but where the full version 3 update would not be fully effective.

"Version 3.0 will introduce more changes than Version 2.0," the PCI SSC said in a document highlighting the potential changes to the PCI DSS regime. "The core 12 security areas remain the same, but the updates will include several new sub-requirements that did not exist previously."

"Recognising that additional time may be necessary to implement some of these sub-requirements, the Council will introduce future implementation dates accordingly. This means until 1 July 2015 some of these sub-requirements will be best practices only, to allow organisations more flexibility in planning for and adapting to these changes. Additionally, while entities are encouraged to begin implementation of the new version of the Standards as soon as possible, to ensure adequate time for the transition, Version 2.0 will remain active until 31 December 2014," it said.

PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions.

Although PCI standards have generally remained broadly a contractual obligation in the UK, the Information Commissioner's Office (ICO) in 2011 suggested that retailers that fail to store payment data in accordance with PCI DSS "or provide equivalent protection when processing customers' credit card details" could be held to be in breach of the DPA and subject to fines.

The delay in the full implementation of PCI DSS version 3 leaves UK retailers "in a bit of a quandary" in relation to compliance with the Data Protection Act (DPA), technology and payments expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said.

"If version 3 of PCI DSS is out but some of the rules are non-binding best practice guidelines for a period, how would the ICO view non-compliance with them?" McFadyen said. "Would it see it as indicative of a breach of the DPA to not follow the 'best practice' rules? It leaves retailers in a bit of quandary. To avoid the uncertainty retailers could seek to achieve full compliance with version 3 by the end of 2014, but this accelerated timeline may prove challenging to some given the potential for both operational and systematic change." 

Out-Law.com asked the ICO how it would treat non-compliance with the PCI DSS framework during the period between 31 December 2014 and 1 July 2015. A spokesman for the watchdog said that the ICO would initially look for compliance with the standard in place at the time any data breach occurred.

If a breach took place during a “transition period” the ICO “would expect to see evidence of activities being undertaken, or planned to be undertaken, by the data controller in order to reach the new standard of compliance whilst remaining compliant with existing requirements”, the spokesman said. He said that the ICO would, though, treat each investigation “on a case-by-case basis”. 

Final PCI DSS version 3 rules are not expected to be publicly released until November. The draft changes to the "sub-requirements" are still subject to consultation with industry at this time.

Planned version 3 requirements would, though, see retailers obliged to "maintain information about which PCI DSS requirements are managed by service providers and which are managed by the entity" and require service providers to "acknowledge responsibility for maintaining applicable PCI DSS requirements".

"This is an important reminder of the applicability of PCI DSS to an organisation’s internal and externally run processes, and the need to contractually secure compliance by, and an acknowledgement of responsibility from, third party providers," McFadyen said.

Editor's note 21/08/13: This story was updated with comments from the ICO.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.