The Little Known Six Letters That Protect Your Data
TechLawLogy™: eDiscovery and Privacy Blog
You may have never heard of the Payment Card Industry Data Security Standard (PCI DSS), but it is at work behind the scenes to keep your digital information safe. The PCI DSS is comprised of twelve requirements that set forth data protection measures for entities involved in payment card transactions. While the PCI DSS standards are stringent, nevertheless, a business’ payment card transaction data will always be susceptible to some form of outside threat. To be sure, several PCI DSS compliant businesses have still suffered major data breaches even after implementing the standard. But the PCI DSS is a good start.
A Business May Be Contractually Or Statutorily Required To Comply With The PCI DSS
In 2006, payment card vendors America Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International founded the PCI DSS Council, whose mission is to protect payment account data security by encouraging merchants to adopt the PCI DSS in order to establish consistent data security measures across the industry. In order to achieve their goal, Council members typically incorporate the PCI DSS into their contractual relationships. Visa International, for example, requires banks that issue Visa credit or debit cards, as well as banks that process Visa credit or debit card transactions on behalf of a merchant, to comply with the PCI DSS through contracts. Visa further requires those banks to ensure compliance by their merchants and service providers who store, process, or transmit Visa account numbers. The individual payment card vendors determine any penalties for noncompliance with the PCI DSS. Thus, it is important for any entity involved with a payment card vendor to review their governing contract because noncompliance with the PCI DSS may result in significant financial penalties or the loss of payment card network privileges.
Data privacy is a rapidly growing industry and, as a result, is surrounded by rapidly evolving statutory requirements. Several states have begun enacting laws incorporating the requirements of the PCI DSS. For instance, in Washington, a business complaint with the PCI DSS at the time of a data breach is not liable for the data breach. And in Nevada, a law requires that if a business accepts card payments related to the sale of goods and services, the business must comply with the PCI DSS.
As a matter of contract law and, in some cases, statutory law, the PCI DSS may have an impact on your business model. If you are unsure of how the PCI DSS applies to your business or if you are compliant with its requirements, please Contact Us.