The 2013 data breaches that affected many major retailers from Target to Neiman Marcus were high-profile, public, and threw an unsightly and frankly frightening spotlight on the sheer weaknesses of the security standards inherent in the current credit card payment solution model. Indeed, PCWorld magazine labeled 2013 “The Year of the Personal Data Breach.”
The current system, which uses a magnetic stripe on the credit card to store the user’s data, is outmoded, archaic, and in dire need of update and improvement. Of this there is no doubt. It is also likely that these needed updates will come in the form of new technologies and systems that represent a more efficient and secure credit card payment solution than those currently in place. What this means is that there will be a major overhaul of how credit cards work, and even what they look like.
It is also certain that in-house general counsel will have to partner with the latest in IT standards to ensure compliance with any new regulations that result from this overhaul—any major revision in standards like this is going to get complex in a legal sense. The current standards for credit card security are called the Payment Card Industry Data Security Standard (PCI-DSS), and were established in 2004 by the major credit card companies. The standards are detailed and complex, and break down to broad directives such as building and maintaining secure networks, protecting data, managing vulnerability, implementation of access control measures, regular monitoring and testing of networks, and maintenance of information security policies. These are in addition to specialized requirements based on merchant levels based on sales volume.
In 2006, the credit card companies created the Payment Card Industry Standards Council (PCI-SSC) to manage the complexity of the PCI-DSS, and to enforce the standards in place. This council performs audits, maintains information about credit card payment solution security providers, and establishes criteria to provide certification for the Qualified Security Assessors who are the only recognized officers for compliance of the PCI-DSS.
The general counsel, or advisory attorney who specializes in compliance issues, is needed to interpret the PCI-DSS and recommend to internal IT departments the risks involved, and the consequence of non-compliance. The attorney will also conduct regular reviews of this compliance, collaborate with the company’s credit card payment solution hierarchy, and continually review not only current standards documentation, but contracts with outside institutions to ensure constant regulation.
Whether or not the future sees a revised PCI-DSS standard, or a new standard altogether which will replace the current one, IT departments along will not be able to handle the complex new security standards in place—attorneys will continue to be a vital part of the credit card payment solution infrastructure.