In this article, a few months past, the subject of states moving to legislate certain portions of the PCI DSS was discussed. Minnesota passed its Plastic Card Security Act and Texas had debated a law that would dramatically increase the scope of compliance and the mandate for validation. Since that time, California has also passed a law, the Consumer Data Protection Act of 2007. This trend, as has been witnessed with the various state data breach notification laws, is likely to continue across the country. It is also likely to give rise to another trend; that of removing data from the infrastructure entirely.
In September of 2007, the California state legislature passed the Consumer Data Protection Act. It was sent to the governor for signature the week of September 10, 2007. This bill is substantially similar to the Minnesota law, but actually imposes greater mandates on those companies that store personal financial information. The California law would prohibit any entity “conducting” business in the state from storing “payment related data” unless the entity has a “payment data and retention” policy that specifically delimits the time and purpose for which such data can be stored. Such limits must be in accordance with good business practices and regulatory requirements.
While space and time prohibit a full discussion of the California legislation, suffice to say that there are a number of clauses which may prove difficult for many companies. Of the elements that may prove challenging are the provisions dictating practices for the storage of data. Specifically, the California law would prohibit the storage of all sensitive authentication data (which is presently prohibited by the PCI DSS and the Card Brand Operating Regulations anyway) as well as the retention of the primary account number unless that information is “unreadable and unusable by unauthorized persons anywhere it is stored.” While the PCI DSS makes concessions for reasonable business or technical limitations that may inhibit the use of encryption, the California law makes no such provision.
In order to “encourage” companies, namely service providers, to comply with the new law, it contains a clause that makes the service provider, rather than the merchant, that suffers a breach responsible for the costs of notifying affected consumers. This differs somewhat from the Minnesota law, which can be interpreted to make the merchant liable for breaches at service providers.
California has long been the standard bearer for data security and privacy legislation. The most recent example of this leadership has been the ground-breaking legislation passed requiring companies to notify individuals of instances in which their data may have compromised. If this trend continues, and there is no reason to believe otherwise, it is safe to assume that dozens of states will look to emulate the PCI DSS legislation that is occurring there. If that is the case, companies of all types and size will be required to comply with dozens of state laws and their varying mandates as to the appropriate care due to consumer data.
This industry has already seen the impact of heterogeneous state laws. Over three dozen breach notification laws have been passed. While the intent is the same, there are significant differences in the laws. What constitutes a breach? What data is included in the law? What triggers notification? How must notification be made? There are roughly three dozen answers to each of these questions. It is likely that the same phenomena will repeat with the PCI DSS laws that are now being passed.
These laws prove an inelegant solution to a difficult problem. While the intent is admirable, the protection of consumer data, the manner in which the objective is ostensibly achieved is difficult to reconcile. Rather than increasing the penalties for those that misappropriate the data, the laws seek to make data security experts of merchants. This takes significant resource from the merchants’ core competency. The result can be deleterious to the merchant, and through the magic of “trickle down” the consumer ultimately pays the price.
While the trend to legislate PCI DSS compliance is rather nascent, two states having passed laws and one debating it, it has already spawned another. This second trend, which has a more positive impact, is the move by service providers to find ways to remove the burden of data protection from the merchant entirely. Such solutions would allow merchants to focus their energies on their business objectives and let the weight of data protection fall on the shoulders of those companies that have made it a core competency.
One category of service providers addressing this need is hosting providers. As more and more companies are focused on business operation efficiency, the option of outsourcing infrastructure becomes more appealing. However, the efficiencies that can be realized by outsourcing are often counterbalanced by the fear of poor data security. There are, however, some forward thinking hosting companies that have taken the step of integrating solid information security practices into their standard hosting offerings. From physical security to incident response and business continuity, the ability to offload many (but certainly not all) data security tasks allows merchants and even service providers in some cases, to focus on their business objectives, rather than security requirements. Some hosting companies have even created specialized hosting platforms to address the specific concerns of companies facing PCI DSS compliance obligations. Other compliance obligations may also be met, depending upon the specific services and configurations chosen.
An additional class of service provider that is leading the industry in addressing the increasing challenge of protecting consumer data is the payment gateway. These companies are in a unique position within the industry in that they contract directly with merchants and support transaction processing. Some gateways are using their position to develop products and services designed specifically to reduce the merchants’ data protection burden. The notion is to stop building up the “vault” to protect the data, and rather simply move the data to someone that has the resources to protect it appropriately. In these solutions, for example, the merchant never touches Cardholder Data (as it is defined in the PCI DSS), from the POI through authorization and settlement cardholder data is never resident on the merchant systems. While the merchant may still be responsible some PCI DSS requirements, the vast majority, and certainly the most onerous requirements, are being met by the service provider, rather than the merchant. Additionally, some companies that have developed these solutions have widened its applicability. Not only can they secure cardholder data, but other types of data as well. This helps companies address not just PCI DSS compliance, but broader issues of security and privacy as well. One organization that appears to have created the textbook example of such a solution is TrustCommerce.
This capability is of particular interest to those companies that deal with multiple compliance obligations, from PCI DSS to GLBA and HIPPA. It also shows tremendous foresight on the part of the companies offering and using these solutions. As has been the case over the past several years, legislation is not going to stop at one particular type of personal data. The country is likely to see the legislators continue down a similar path – mandating protections to a variety of data until protection of virtually all personal data is protected under law. Using these service providers allows companies to get back to their core focus, as opposed to becoming technologists and security experts. It also stands them in a good stead with respect to forthcoming legislation and industry mandates.
While it may be tempting to bemoan the notion that government is going to be more involved in the day-to-day business of the industry, the fact is that the movement is inevitable. As data continues to hold value, the industry is going to be continually called upon to offer an increasing level of security to that data. Rather than spending increasing resources to meet that demand, it may make sense for many companies to seek out these new services and products. In that manner, merchants and service providers can still meet the growing rigor of data security and privacy requirements without having to devote in-house resources to the problem. Legislation is causing a fundamental shift within the payments industry away from merchants storing volumes of data and toward a structure where a few ‘trusted third parties’ are entrusted with the storage of critical data. With each passing of new legislation the momentum continues to grow toward such solutions.
|
