It should come as no surprise to anyone in the business of facilitating payment card transactions that the Payment Card Industry Data Security Standard (PCI) has garnered attention from all quarters; the media, consumers, federal legislators and interest groups. As this article is written, an effort is afoot in the Texas legislature to mandate PCI compliance. While the bill has yet to pass the state Senate, the fact is that legislators are not only attempting to mandate PCI compliance, but are trying to stretch the purview of the standard beyond its original intention. While any attempt to protect customer data should be applauded, in this instance the bill is substituting the judgment of people that know and understand the industry for those unfamiliar with the landscape and business requirements of the industry.
The bill, HB 3222, passed the Texas House with a vote 139-0. While
these numbers may seem staggering, they are really not surprising.
Constituents are clamoring for their legislators to take action to protect sensitive data. The state legislature, likely seeing the effectiveness of the PCI standard, are attempting to codify those requirements in order to satisfy their constituents without creating new requirements with which companies must comply. Seemingly this solution would offer the best of both worlds: constituents would get the law they’ve been asking for and the legislature would not have to
develop data security expertise in order to develop said law.
Despite the good intentions, however, the law does attempt to stretch the PCI beyond its original objective. Additionally, the proposed law does not take into account the complexities of the industry.
For example, subsection (c) of the proposed law states that “A business that, in the regular course of business in connection with an access device [credit, debit or stored value card] collects sensitive personal information or stores or maintains sensitive personal information in a structured database or unstructured files, must comply with the payment card industry data security standards
[sic].” On the surface this may seem reasonable. However, as
those in the industry know, the PCI standard applies only if the cardholder account number is present and then only to the PAN, Cardholder Name, Service Code and Expiration date. The bill never narrows the definition of the “personal sensitive information.” In fact, subsection (b) states that “businesses shall implement and maintain reasonable procedures, including taking any corrective action, to protect and safeguard from unlawful use or disclosure any sensitive personal information collected or maintained by the business…” This seemingly benign phrase significantly broadens the scope of the PCI and will require significant investment in both time
and resources for companies that have already achieved compliance.
Consider a merchant that uses Address Verification Services (AVS) for authentication. Is the address now considered sensitive personal information, as defined by HB 3222? AVS data is not required to be protected under the PCI DSS. This is one instance in which the bill and the PCI DSS are potentially in conflict.
Additionally, the law offers “safe harbor” to those entities that can prove compliance at the time of the breach. This attestation must be provided by either “a payment card industry-approved auditor or another person authorized to issue that certification or assessment.” This is especially significant to Level 1 and Level 4 merchants. Level 1 merchants, for example, are able to perform their onsite assessment using internal resources. So after a breach, according to the language of the bill, it would be possible for a Level 1 merchant’s internal auditor to assess their level of compliance at the time the compromise occurred. Level 4 merchants, on the other hand, are not required by the PCI to validate compliance unless directed to do so by their acquiring bank. Essentially then Level 4 merchants, who arguably present the greatest risk of compromise, are precluded from safe harbor under the provisions of this bill.
Further, the bill provides an exemption for companies that contract to a third party to “collect, store or maintain personal information in connection with an access device and can prove compliance,” and the third party is contractually required to be compliant. However, if that entity is not compliant, in violation of their contract with the merchant, the merchant is still responsible under the proposed law. It would then be left to the merchant to pursue contractual remedies with their service provider.
In the analysis of the bill provided by the Business and Industry Committee, it states that “The bill requires the certification to be issued by a payment card industry-approved auditor no earlier than the 90th day before the date of the security breach.” This clause in and of itself provides a number of significant challenges. For example, the fact that the bill requires a certification by an industry approved auditor creates a de facto requirement for quarterly on-site assessments for all merchants. The language itself
is troubling. A ‘certification’ indicates a guarantee of accuracy.
PCI DSS assessments do not result in certifications of compliance rather attestation or finding of compliance. This is a seemingly insignificant yet major difference. In addition, in some cases it may be difficult to determine the exact date of the breach. In such cases would the law be construed to mean 90 days prior to the date of discovery or the date of the breach itself? Recently, it’s been the trend that hackers will compromise data but hold it for 12-18 months before attempting fraudulent activity. Such a wait allows time for the evidence of the breach to be obscured. Banks may not see fraudulent activity for a significant period of time after the breach. This bill provides no expiration-entities will be held accountable in perpetuity.
Again, it should be emphasized that the Texas Legislature is taking an admirable step in the attempt to protect the data of their constituents. The method through which they are seeking to do so, however, fails to address other areas of significant risk. The bill limits its purview to those companies that receive personal data in connection with an “access device,” defined as a debit, credit or stored value card. Essentially, it pertains to merchants only. Yet the risk posed by companies that collect personal data via other means remains unaddressed. A visit to the website www.privacyrights.org illustrates that the risk to personal data comes from all quarters, not simply from those accepting credit card payments. Colleges and hospitals, for example, are frequent sources of compromise, yet much of the data collected by those institutions are not collected in connection with an access devices and thus would be exempt from this law.
The Texas Legislature’s approach to this issue is a perfect example of incrementalism. Incrementalism has been defined by Paul Johnson of Auburn University as a situation in which exhaustive study of the situation at hand is too resource intensive to be practical. As a result, changes are only made “at the margins.” Public Policy scholar Charles Lindbloom famously referred to this process as “The Science of Muddling Through.” Contrary to what most might believe, government is often slow to act in areas where they have little understanding. Given the relative youth of the data security industry, and the complexities of the payment processing world, government has to date been reluctant to take action. Spurred into movement by the public attention focused on data breaches, the state is attempting to take action based on existing industry standards. This is an example of incrementalism at its best.
The PCI standard and its attendant implementation guidelines enforced by the Payment Card Industry Security Standards Council were devised very specifically to address the unique risks and complexities found in the industry. The proposed Texas law strips those variables from the standard, making its implementation equal for all merchants
regardless of transaction volume or business model. This makes the
standard unduly burdensome for many merchants and may result in some
smaller organizations simply choosing not to accept payment cards.
Further, the inclusion of the phrase “sensitive personal information”
significantly widens the purview of the PCI and results in disparate impact. Retailers will be held to a higher standard for the protection of personal data than will universities, health care facilities or financial institutions.
|
