Merchants who accept credit cards have a duty to protect customer information, not only by law (see, e.g., 201 CMR 17.00), but also because the credit card companies tell them so. The Payment Card Industry Security Standards Council was created by Visa, MasterCard and American Express to tell merchants precisely what they are supposed to do to protect consumers. Merchants must follow the Payment Card Industry Data Security Standard (PCI DSS) or risk fines or losing the ability to process credit cards. This past November, and then again in February, the Council issued guidelines to help merchants (and some third-party service providers) comply with PCI DSS when they perform assessments of risks to cardholder information within their systems, deal with cloud service providers, and accept payments using mobile devices.
Risk Assessments
On November 16, 2012, the Council issued its guidelines to help organizations perform risk assessments that comply with PCI DSS. According to BNA, some of the Council’s key recommendations include encouraging them to:
- implement risk assessment methodologies that suit the culture and requirements of the particular organization; and
- utilize continuous discovery processes that allow organizations to discover threats and mitigate them in a proactive and timely fashion.
The Council also emphasized that risk assessments should not replace the requirements of PCI DSS.
Cloud Service Providers
The Council also has published guidelines for dealing with cloud service providers. Because many organizations entrust cardholder information to cloud service providers (like Google), the Council emphasized that compliance with PCI DSS is a shared responsibility between the organization and the cloud service provider. The more aspects of a business a third party manages for that business, the more responsibility that third party has for maintaining PCI DSS protections. Significantly, the guidelines suggest that organizations and cloud service providers clearly set out security responsibilities in contracts between them to avoid misunderstandings.
Mobile Devices
The Council also has offered best practices for accepting credit card payments on mobile devices. Mobile devices are not designed to accept sensitive financial information, and are therefore particularly vulnerable. For this reason, the Council provided recommendations to ensure the security of mobile devices used to process payments. The Council did not recommend that merchants allow “bring your own device” policies, where an employee brings a device to work that the employee (who is not the merchant) owns and controls, because the merchant does not have control over the content and configuration of the device. With the increasing popularity of Square, merchant vigilance to strict standards in this area is only going to become more important.
* * *
Above all, the Council’s guidelines show just how seriously the credit card industry considers the protection of cardholder information at each step of the payment process, from the initial purchase through to the storage of the information. Yet some security threats to cardholder information, including a basic one that I wrote about here, remain unaddressed, so the credit card industry still has some work to do.