Out-Law / Your Daily Need-To-Know

New payment card data security standards finalised

Out-Law News | 08 Nov 2013 | 2:34 pm | 3 min. read

Retailers, banks and other companies involved in processing credit and debit card payments will be subject to a new set of data security requirements from January, the Payment Card Industry Security Standards Council (PCI SSC) has announced.

The updated PCI Data Security Standards (12-page / 244KB PDF) (PCI DSS v3.0) introduce new obligations around security threat monitoring, physical and remote access to data, security testing and responding to security alerts, among other examples.

PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions.

PCI DSS v3.0 will take effect from January, although some aspects of the framework will be treated as 'best practice' recommendations for a time to give companies time to adhere to the new standards. The old framework will "remain active" until the end of 2014, PCI SSC said.

Payments and technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, welcomed the addition of a new rule to the PCI DSS v3.0 regime which affects third party service providers, but warned about weaknesses in outsourcing contracts.

Under the framework, service providers are obliged to detail in a written acknowledgement to their client that they are "responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment".

According to guidance issued alongside the new rules, this new requirement is "intended to promote a consistent level of understanding between service providers and their customers about their applicable PCI DSS responsibilities" and "evidences commitment to maintaining proper security of cardholder data that it obtains from its clients".

However, McFadyen said: "Organisations that outsource aspects of their processing systems more often than not do not have sufficiently robust contractual provisions dealing with PCI DSS compliance and, critically, the impact of security incidents and response that is required to such incidents."

In September Michael Aminzade, director of delivery for EMEA and APAC at information security provider Trustwave, warned that the then proposed upgrades to the PCI DSS framework did not set sufficiently strict obligations on retailers to assess risks associated with introducing new technology into payment systems. He told Out-Law.com that provisions relating to risk assessments had to be strengthened.

Following the publication of the final PCI DSS v3.0 framework, Aminzade said he still had concerns.

"Overall, the Council has made some excellent improvements to the standard, but the risk management area of PCI 3.0 still needs more work," he said. "The main area of concern is that even though the new standards reference risk management strategies that must be met, the standard doesn’t force companies to adopt any of those strategies. In particular the standard doesn’t address the fact that risk assessments need to be done by an industry-certified professional and are only performed on an annual basis."

"Also, PCI DSS 3.0 does not include any changes surrounding mobile security.  Merchants are struggling with how to protect mobile payment solutions and integrating mobile devices into their organisations. The Council released a best practices guide for mobile security more than a year ago, but it would be more beneficial to release additional guidance pertaining to mobile data security," Aminzade added.

Retailers should also be given more advice on what security tools are appropriate to use, he said. This guidance could have been built into the PCI DSS v3.0 framework, he added.

"Merchants should be using security tools that demonstrate their systems are configured to meet the compliance requirements," Aminzade said. "There are many options on the market that can easily perform the following functions: identify improper use of guest and administrator accounts; find weak and default passwords; perform a network inventory and validate current antivirus software."

"PCI DSS 3.0 is a good opportunity to mandate that merchants use these tools so that they can better demonstrate they are in compliance. Security is now so complex that some merchants do not understand how to interpret the PCI requirements. They need recommendations pointing to tools they can use that help them become compliant," he said.

The UK's Information Commissioner has previously said that retailers that fail to store payment data in accordance with PCI DSS "or provide equivalent protection when processing customers' credit card details" could be held to be in breach of the Data Protection Act and be subject to fines.