PCI DSS: Payment card industry data security standards in context

computer law & security report 24 (2008) 540–554

available at www.sciencedirect.com

www.compseconline.com/publications/prodclaw.htm

Security and payment card industry regulation

PCI DSS: Payment card industry data security standards in context Edward A. Morsea, Vasant Ravalb a

Creighton University School of Law, USA Creighton University College of Business Administration, USA

b

abstract In recent years, the payment card industry has dealt with the matter of consumer liability for unauthorized charges. However, risks to consumers from identity theft and related use of personal data present new challenges for cardholders and those who profit from their usage, including merchants, banks, and payment card companies. This article examines the varying and sometimes complementary roles that legal obligations and private ordering play in incentivizing security measures to protect consumers. It shows that, in the legal environment within the United States, which lacks comprehensive legal protections for consumer privacy and security, private ordering rooted in economic incentives within the payment card industry can also bring about enhanced security for consumers. The Payment Card Industry Data Security Standards (‘‘PCI DSS’’) have emerged from private ordering, although threats of legal liability have also influenced their development and implementation. The article evaluates the basic framework of PCI DSS and raises issues for further development as the government, the legal system, and the industry cope with security threats in this environment. ª 2008 Edward A. Morse & Vasant Raval. Published by Elsevier Ltd. All rights reserved.

1.

Introduction

Payment cards – including credit cards, debit cards, and stored value cards – play a significant role in consumer transactions. In 2006, an estimated 2.27 billion payment cards were used in more than 74 billion transactions, with a total dollar volume of more than $5.9 trillion.1 More than half of this global 1

transaction market belongs to Visa, the world’s leading payment card firm.2 Other significant competitors in the United States include Mastercard, American Express, and Discover.3 The payment card industry is located between two interrelated markets: consumers who use payment cards (end-user or consumer market) and the merchants who accept them (merchants market).4 Some payment card systems are

Source: VISA, Inc., Form S-4, June 22, 2007, at p. 134, available at http://www.sec.gov/Archives/edgar/data/1403161/ 000119312507140569/ds4.htm (accessed 4/1/08) [hereinafter VISA Form S-4 (2007)]. 2 Id. at 133. Visa estimates that more than 1.3 billion of its branded cards are in circulation in 2006, and that these cards are accepted at more than 26 million merchants and one million ATMs, with a total dollar volume of more than $3.2 trillion. This dollar volume represents a three-fold increase since 1997, when Visa first reported exceeding the $1 trillion mark. See Visa ‘‘History and Milestones’’ at http://corporate.visa.com (accessed 4/1/08). 3 See, e.g., Paycom Billing Services, Inc. v. Mastercard Intern., Inc., 467 F.3d 283, 285 (2d Cir. 2006). 4 See generally Steven Semeraro, Credit Card Interchange Fees: Three Decades of Antitrust Uncertainty, 14 Geo. Mason L. Rev. 941 (2007). Economists sometimes refer to this situation as a ‘‘two-sided market’’. A newspaper that sells to both readers and advertisers is also a two-sided market. See id. at 950. 0267-3649/$ – see front matter ª 2008 Edward A. Morse & Vasant Raval. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2008.07.001

computer law & security report 24 (2008) 540–554

unitary, in which the payment card company controls functions that include issuing cards to consumers and acquiring merchant accounts to accept those payments.5 Non-unitary systems involve a network in which independent entities, such as banks, compete for customers in both markets.6 For example, issuing banks will compete for cardholders, and acquiring banks will compete for merchant accounts.7 Relationships within the industry are illustrated in Fig. 1. In both unitary and non-unitary systems, industry profits depend on a seamless and trustworthy transaction network that fosters confidence among end-users.8 As with other networks involving diffused ownership, shared standards or rules across the two markets are needed to ensure effective functionality. Although some of these standards or rules may be imposed by the government or entities outside of the network, others are a product of private ordering that emerges within the network.9 This article addresses security standards that impact the protection of consumer data within the payment card industry and the influences of law and private ordering on emerging issues involving consumer protection. Consumer protection from liability for unauthorized charges is one important dimension of consumer trust. Early in the developmental history of credit cards,10 the Federal government provided legislation to protect consumers from unauthorized charges.11 However, the industry has chosen to expand consumer protections through contract by enacting ‘‘zero liability’’ policies. Such policies induce consumer trust and confidence, allowing them to acquire and use their cards without fear of liability for unauthorized charges from a lost or stolen card.12 Consumers are also learning that unauthorized payment card charges are not the only form of insecurity that should concern them. Recent years have seen identity theft, including leakage of credit card data, as the single largest category of frauds. Personal data associated with payment cards present additional risks that transcend the limited liability associated with the cards. In the wrong hands, such data can result 5 See id at 946. Discover and Diner’s Club are examples of networks classified primarily as unitary. 6 See id. Mastercard and Visa are examples of non-unitary systems. Other brands, including American Express, may have both unitary and non-unitary features. 7 See id. 8 See generally Vasant Raval & Aschok Fichadia, Risks, Controls, and Security 58–61 (Wiley, 2007) (discussing key objectives of information security). 9 See David V. Snyder, Private Lawmaking, 64 Ohio St. L. J. 371 (2003). 10 See United States v. Visa U.S.A., Inc. 163 F.Supp.2d 322, 333–34 (S. D.N.Y. 2001) (discussing emerging growth of payment card industry in early 1970s with formation of Visa and Mastercard organizations). 11 See 15 U.S.C. x 1643(a)(1) (limiting cardholder liability for unauthorized credit card charges to $50); 15 U.S.C. x 1693g(a) (limiting consumer losses for debt cards). As commentators have noted, this limitation applies regardless of any negligence on behalf of the consumer. See Clayton P. Gillette, Rules, Standards, and Precautions in Payment Systems, 82 Va. L. Rev. 181, 183 (1996). 12 See, e.g., Visa Security Program, Zero Liability at http://usa. visa.com/personal/security/visa_security_program/zero_liability. html?it¼cj/personal/security/visa_security_program/index.htmlj Zero%20Liability* (accessed 5/6/08).

541

in identity theft or other fraud, with devastating effects on consumers far beyond the payment card industry’s control. Large-scale security breaches involving payment card data, such as that experienced by TJX, Inc., have called attention to matters of security in this context.13 They have also spawned litigation to sort out the legal responsibilities for harms associated with those breaches.14 Government regulation of the security of personal data in the United States is neither comprehensive nor complete.15 Moreover, the assessment or allocation of costs associated with security breaches is currently unsettled, a matter that presents significant future challenges for this industry.16 Private ordering through contract has continued to play a dominant role in providing standards and facilitating compliance within the industry as it grapples with new technology and challenges to security. Economic incentives (or penalties) have thus far displaced legal proscriptions as the foundation for providing security within the payment card industry. This article provides an overview of seemingly cooperative efforts within the payment card industry (PCI) to provide common data security standards, known as PCI DSS. As discussed below, the PCI DSS model may indeed provide additional protection for consumers, but it appears to achieve those protections by imposing additional costs on merchants. Moreover, its protections leave open many legal and practical questions, including the effectiveness of consumer protection and the scope of cost shifting among participants in the network, which will need to be addressed in the future. Section 2 contextualizes the legal and economic environment in which the payment card industry operates, including the consequences for security breaches on various participants in the industry. Section 3 provides an overview of legislation and litigation as tools to incentivize investment in information security. Section 4 discusses PCI DSS as an alternative approach based on private ordering. Section 5 provides an assessment of the current state of data security in the payment card industry, summarizes unresolved issues, and identifies areas for further research and development.

2. Industry overview: costs, benefits, and risks of payment cards Payment card usage depends on interrelationships between two important groups: consumers and merchants. Understanding these interrelationships and the legal and economic environment in which they occur is a helpful predicate to understanding approaches to security. 13

See, e.g., In re TJX Companies Retail Security Breach Litigation, 524 F.Supp.2d 83, 85–86 (D. Mass. 2007). (‘‘In what has been described as the largest retail security breach ever, criminals hacked into the computer systems of TJX Companies, Inc. (‘‘TJX’’) and compromised the security of at least 45,700,000 customer credit and debit accounts.’’) 14 See id. at 86 (describing numerous cases filed involving this breach). 15 See Section 3, infra. 16 See id.

542

computer law & security report 24 (2008) 540–554

Brands

impact

Merchants

Accept charges through

Payment card system

Use cards

Consumers/card holders

Can be

Unitary

Competes for merchant Issuing bank same accounts as the acquiring bank

Non-unitary

Issuing bank

Acquiring bank

Competes for cardholders

Fig. 1 – Payment card industry features.

2.1. Demand interrelationships: consumers and merchants Consumer demand for payment cards depends significantly on a broad-based merchant acceptance, which ensures that payment card usage is convenient and practical. Payment card industry profits are directly linked to consumer usage; industry members thus have a shared economic interest to ensure that consumers prefer payment cards as the means to make their purchases. The industry often provides incentives to induce additional consumer demand, such as cash back, reward points, or airline miles. This consumer demand, in turn, affects the reciprocal willingness for merchants to accept this payment medium. Merchants incur transaction costs associated with accepting payment cards, and they may also incur other ancillary costs.17 As discussed below, the particular composition of those transaction costs can vary depending on whether a unitary or non-unitary payment card system is involved, but in either case the merchant experiences a discount from the price charged to the consumer, which provides the underpinning for industry costs and profits. In a non-unitary payment card system, banks that process merchant accounts (known as ‘‘acquiring banks’’) typically assess a small percentage of the transaction, and in some cases

17

These costs may include security measures, as discussed below.

a fixed minimum fee may also be imposed. Transaction costs imposed by acquiring banks can vary depending on such factors as the type of firm involved, transaction volumes, and location. Banks are often reluctant to disclose those rates publicly, presumably due to competitive concerns among their clients. However, firms advertising on the Internet readily provide this information.18 Visa has publicly stated that it does not get involved in setting these charges imposed on merchants, which are characterized as a product of a competitive market.19 In addition to the fees imposed directly by an acquiring bank, the payment card association (such as Visa or Mastercard) in a non-unitary system will also impose a separate ‘‘interchange fee’’, which is not determined by the acquiring bank.20 The acquiring bank nevertheless collects this fee and remits it to the association. Some portion of this fee may also be shared with issuing banks, which thus benefit from 18

See, e.g., Merchant Accounts Express, Internet and Ecommerce Merchant Account Rates at (comparing fees with industry averages) http://www.merchantexpress.com/rates_internet.htm (accessed 5/7/08). 19 VISA Form S-4 (2007), supra note 1, at 147. (‘‘Merchant discount rates and other merchant fees are set by our acquirers without our involvement and by agreement with their merchant customers and are established in competition with other acquirers, other payment card systems and other forms of payment. We do not establish or regulate merchant discount rates or any other fees charged by our acquirers.’’) 20 See Semeraro, supra note 4, 14 Geo. Mason L. Rev. at 947.

computer law & security report 24 (2008) 540–554

transactions by their customers as well as from any interest and fees charged to cardholders. The payment card industry takes the position that these fees are necessary to balance the respective costs and benefits from each side of this dual marketplace.21 However, this proposition is being contested in litigation.22 Despite the fact that merchants don’t receive the same kind of rewards as consumers and indeed they appear to incur transaction costs whenever a payment card is used, merchants may also benefit from payment card usage. Even cash-based businesses incur costs, including security, labor, and other transaction costs associated with counting and depositing cash. The relative magnitude of these costs and their impact on merchant preferences will vary depending on local conditions, but it is conceivable that payment cards could reduce or at least displace some of these costs.23 Other benefits from payment cards may include more rapid customer processing, thus enabling higher transaction volumes, reduced cycle time for cash collection, improved cash float, lower uncollectibles, and consequently, higher profits.24 Some businesses, such as those dealing by phone or by Internet, involve contexts where cash is simply not practical. (Even the neighborhood gas stations do not encourage you to go in their convenience stores any more just to pay for the gas.) Although competing payment forms, such as PayPal, have emerged, payment cards continue to be an important part of the business model in this environment. Moreover, merchants may also benefit from the consumer’s ability to finance a purchase that they might not otherwise afford. Some merchants may forego potential profits associated with granting store credit in favor of the payment card system. However, these merchants also avoid credit or payment risks, as the payment card system shifts these risks elsewhere within the payment network, primarily falling upon the issuing bank.25

2.2.

Liability for costs from unauthorized charges

The legal framework for risk-bearing is a significant factor affecting the development of payment systems, and particularly for credit card systems. Although a complete analysis of risk-bearing functions within the industry is beyond the scope of this article, risks associated with unauthorized 21

See id. at 947–49. See id. 23 See id. However, some commentators suggest that the cost variance is quite significant. See Adam J. Levitin, Priceless? The Social Costs of Credit Card Merchant Restraints, 45 Harv. J. on Legis. 1, 1–2 (2008). (‘‘On average, credit card transactions cost merchants six times as much as cash transactions and twice as much as checks or PIN-based debit card transactions.’’) 24 Visa promotes its contactless payment cards as tools for enhancing transaction volume. See VISA Form S-4 (2007), supra note 1, at 143. 25 Visa offers services to card issuers which allow transaction monitoring for the purpose of predicting bankruptcy of its cardholders, thus potentially permitting the avoidance of some of the associated losses. See VISA Form S-4 (2007), supra note 1, at 138. (‘‘Analyzing transaction attributes at the consumer level, AdvanceBK can identify accounts that do not demonstrate typical risky behaviors, but that may result in future bankruptcies.’’) 22

543

charges merit particular attention because of their close relationship to unauthorized access to cardholder information. As discussed below, risks for unauthorized charges have been resolved quite favorably to cardholders, but merchants have not fared so well. Lost, stolen, or counterfeit credit cards present a potential risk to the card payment system, which could potentially threaten the trust required for its viability. The consumer side of this trust equation has been addressed quite early in the history of credit cards through legislation favoring cardholders by limiting their liability for unauthorized charges.26 The industry has taken this further, as card payment systems have adopted ‘‘zero liability’’ policies for unauthorized charges.27 Such policies apparently reflect an effort to enhance consumer confidence in the payment card system by extending contractual protections that are greater than the statutory protections imposed by law. As a consequence of this pro-cardholder policy, someone else in the payment card network must bear the loss. In most cases, the merchant who received the unauthorized payment bears these direct costs through ‘‘chargebacks’’ to the merchant account. This essentially translates into two losses: First, the merchant loses the value of goods or services provided to the unauthorized user and second, the merchant may also incur additional fees associated with this chargeback. The ‘‘chargeback’’ process was explored recently in litigation involving Mastercard.28 After a cardholder disputes a charge, the issuing bank reverses the cardholder’s charge and notifies the acquiring bank to return these funds.29 The acquiring bank deducts the funds from the merchant’s account pending resolution of the dispute.30 The merchant may reverse a chargeback by producing a signed sales receipt from the cardholder, which is possible if the customer was present at the point of sale.31 For merchants selling by telephone or over the Internet, a signed receipt is not available. In these circumstances – known as ‘‘card not present’’ (‘‘CNP’’) transactions, the merchant bears the loss.32 If a merchant (i.e., the acquiring bank’s customer) has too many chargebacks, the acquiring bank may also be subjected to fines and penalties,33 although in practice these costs may ultimately be passed on to the merchants. Under this system, the direct costs of unauthorized transactions are passed back to the merchant, rather than born by the cardholder. This provides an incentive for merchants to monitor their customers and to take precautions against 26 See 15 U.S.C. x 1643(a)(1) (limiting cardholder liability for unauthorized credit card charges to $50); 15 U.S.C. x 1693g(a) (limiting consumer losses for debit cards). 27 See, e.g., VISA Security Program, Zero Liability (‘‘With Visa’s Zero Liability policy, your liability for unauthorized transactions is $0 – you pay nothing.’’), available at http://usa.visa.com/ personal/security/visa_security_program/zero_liability.html (accessed 6/9/08). 28 See Paycom Billing Services, Inc. v. Mastercard Intern., Inc., 467 F. 3d 283, 286–88 (2d Cir. 2006). 29 See id. at 286. 30 See id. 31 See id. at 286–87. 32 See id. 33 See id. at 287.

544

computer law & security report 24 (2008) 540–554

fraudulent usage. As the Second Circuit has explained, ‘‘From the acquiring bank’s vantage point, the failure to pass back these costs would not only decrease their revenue but would also increase the risks of fraud by eliminating any incentive on the part of CNP merchants to limit it.’’34 It is also possible that the merchant may, in turn, pass all or at least a portion of these costs to other customers, including those who do not use credit cards.35 However, constraints on this ability would include competition from firms that do not accept credit cards or discourage use of cards by offering cash payment bonus, and thus have cheaper cost structures, as well as the potential for fines and penalties that acquiring banks impose on excessive chargebacks, as noted above. Of course, the above discussion is not exhaustive or complete concerning the practices of payment card networks. Variations may also exist within particular card brands. As the Second Circuit recognized, in some cases acquiring banks in the Mastercard network may choose not to pass along the charges to its merchant customers.36 Contract terms and local practices may vary depending on the particular costs and benefits of enforcing their terms. Moreover, some of the costs of preventing fraudulent transactions are indeed born by the card payment companies themselves. For example, Visa has developed proprietary algorithms for fraud detection, which it uses to monitor accounts for the purpose of preventing unauthorized charges.37 Nevertheless, the general practices outlined here show significant correlation between the direct responsibility for losses in the system and the incentives for preventing those losses, which both rest primarily in the hands of merchants.

2.3.

Problems of unauthorized disclosure

Consumers also are subject to risks based on disclosure of their personal information that comes into the hands of merchants, including information provided through payment card transactions. Recent examples include Hannaford Grocery, where a breach of its computer system potentially caused 4.2 million credit and debit card numbers to be disclosed, leading to about 1800 fraud cases.38 Other notable retailers with breaches include TJ Maxx, which has been litigating the consequences of a massive security breach affecting customer payment card information.39 Of course, breaches from outside the traditional business community can also adversely impact consumers. There are broader, macro-forces at work as well. For example, following the disclosure of major data leakage or credit card

fraud, the entire PCI suffers from consumer hesitancy to use payment cards, not just in the affected industry, but across the board.40 Although the allocation of losses for unauthorized charges, as outlined in Section 2.2 above, provides an incentive structure for merchants to prevent unauthorized transactions, similar incentives are not necessarily present in the realm of costs associated with a disclosure of personal information. A disclosure caused by lax security by one merchant does not necessarily generate cost in the form of unauthorized transactions on that same merchant. For example, if a breach at a university results in disclosure of payment card information from its customers, it would seem highly unlikely that the university would subsequently experience significant unauthorized charges or extend credit to persons who fraudulently obtained another’s identity. For some items, it can easily suspend the benefit obtained (e.g., tuition and/or degree credits) upon discovery of the fraud, which would not be possible for other consumer items, such as food, gasoline, or retail goods. Security breaches from one business or business sector may thus effectively shift costs to other firms, in addition to costs borne by the consumers themselves. An investment in security to protect cardholder data does not necessarily generate rewards measured in the form of cost savings from unauthorized transactions on one’s own account. Returns from an investment in security, if indeed they occur at all, are likely to be more indirect. For example, to the extent that customers are sensitive to security risks, they may seek out firms that provide the greatest protection and avoid those who do not. (However, this assumes that consumers have some means to differentiate based on this factor.) Alternatively, customers may simply choose to avoid payment cards in favor of cash or other payment means which do not present these threats. The possibility of externalized costs begs for a solution in order to prevent harms to consumers and to other firms who must bear the costs of unauthorized transactions. Several mechanisms are possible in this context. One approach involves legislation, regulations, or other law-based mechanisms to shift the incentive structure toward greater investments in data security. An overview of that approach is discussed in Section 3, below. Another approach relies on private ordering within the payment card industry, in which the industry polices its own ranks for the purpose of enhancing the security and profitability of all participants. The PCI DSS approach is discussed in Section 4.

34

Id. See Levitin, supra note 23, 45 Harv. J. on Legis. 1 (arguing that restraints on surcharges for credit card usage impose costs on all consumers). 36 See id. However, an industry source has told the authors that it would be unusual not to pass these costs through as a matter of contract. 37 See VISA Form S-4, supra note 1, at 146. 38 See Ross Kerber, Grocer Hannaford hit by computer Brach, Boston Globe, March 18, 2008, available at http://www.boston. com/business/articles/2008/03/18/grocer_hannaford_hit_by_ computer_breach/ (visited May 2, 2008). 39 See id. See also discussion at notes 52–60, infra. 35

3.

Legal obligations for security

Legal obligations to provide security for data belonging to others may come from many different sources. As one prominent commentator has explained: There is no single law, statute, or regulation that governs a company’s obligations to provide security for its information. Corporate 40

See Section 4, infra.

computer law & security report 24 (2008) 540–554

legal obligations to implement security measures are set forth in an ever-expanding patchwork of state, federal, and international laws, regulations, and enforcement actions, as well as common law fiduciary duties and other express and implied obligations to provide ‘‘reasonable’’ or ‘‘appropriate’’ security for corporate data.41 Unlike the European Union, which has provided for the protection of personal information as a fundamental principle in the Data Protection Directive, regulation of security and privacy in the U.S. has been described as ‘‘very fragmented and segment-specific.’’42 Although a complete analysis of all sources for legal obligations is beyond the scope of this article, an overview is helpful in understanding the legal environment for security within the payment card industry. Four specific areas are addressed: (1) segment-specific privacy legislation, such as Gramm– Leach–Blilely; (2) Federal Trade Commission enforcement efforts based on ‘‘unfair’’ practices affecting consumers; (3) state-specific privacy and data security disclosure provisions; and (4) common law claims, including tort.

3.1.

Segment-specific legislation

Some segments of the economy, such as health care, financial services, and education, have garnered sufficient legislative attention to develop specific legislation that addresses privacy and security of personal information.43 For example, Gramm– Leach–Bliley (‘‘GLB’’),44 expresses the policy of Congress that ‘‘each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ non-personal public information.’’45 Toward this end, regulatory agencies governing financial institutions are directed to establish ‘‘appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards – (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security and integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.’’46 The scope of the ‘‘financial institutions’’ affected by these obligations is limited. Although a broad range of banks, brokers and dealers, investment companies, and insurance firms are 41 See Thomas J. Smedinghoff, It’s All About Trust: The Expanding Scope of Security Obligations in Global Privacy and E-Transactions Law, 16 Mich. St. J. of Int’l L. 1, 10 (2007) (footnotes omitted). 42 See id. at 16. 43 See, e.g., Health Insurance Portability and Accountability Act of 1996 (‘‘HIPAA’’), Pub. L. 104–191, 110 Stat. 1936 (1996); Gramm– Leach–Bliley Act (Financial Services Modernization Act of 1999), Pub. L. 106–102, 113 Stat. 1338 (1999); Family Educational Rights and Privacy Act of 1974 (‘‘FERPA’’), Pub. L. 93–380, 88 Stat. 571 (1974). 44 Relevant provisions addressing privacy are codified at 15 U.S. C. xx 6801-09. 45 15 U.S.C. x 6801(a). 46 Id. x 6801(b).

545

included, most merchants are not.47 Various federal and state agencies regulating the covered institutions are responsible for implementing the requirements of the Act.48 Among these institutions, the Federal Trade Commission (FTC) has invested the most effort in enforcement of Gramm–Leach–Blilely.49 As discussed below, the FTC has also undertaken enforcement efforts to protect consumers from data security breaches from firms outside the scope of Gramm–Leach–Bliley.

3.2.

The Federal Trade Commission

The Federal Trade Commission has been instrumental in extending protections to consumers outside the scope of segment-specific legislation.50 The agency’s website states that ‘‘[P]rivacy is a central element of the FTC’s consumer protection mission’’, and it views the ‘‘security of personal information’’ as a component of privacy.51 Recent enforcement actions by the FTC have included claims against retailer TJX, Inc., a retailer engaged in selling apparel and home fashions. According to the FTC’s complaint, TJX used its computer networks to obtain authorization for payment card purchases.52 Until December 2006, it also stored some of that information on its in-store and corporate networks in an unencrypted form.53 The FTC alleged that TJX’s practices, ‘‘taken together, failed to provide reasonable and appropriate security for personal information on its networks.’’54 As a result, the networks were hacked, compromising ‘‘tens of millions of unique payment cards used by consumers’’ as well as personal information of about 455,000 consumers.55 In particular, the FTC alleged that TXJ: (a) created an unnecessary risk to personal information by storing it on, and transmitting it between and within, instore and corporate networks in clear text; 47 See id. x 6805(a). A merchant may nevertheless be subject to the privacy provisions if the merchant extends credit or engages in long-term leases of property, as in the case of an automobile dealer. See, e.g., the FTC’s Privacy Rule and Auto Dealers: Frequently Asked Questions, at http://www.ftc.gov/bcp/conline/ pubs/buspubs/autoglb.shtm (visited May 2, 2008). FTC regulations also point out that third parties who are not financial institutions may be subject to the G–L–B provisions to the extent they receive information from a financial institution. See 16 C.F.R. Part 313, Privacy of Consumer Financial Information; Final Rule, 65 Fed. Reg. 33,646 (May 24, 2000). Financial institutions are responsible for their agents. See 65 Fed. Reg. at 33,651. Moreover, third parties who receive information from financial institutions effectively ‘‘step into the shoes’’ of the financial institution regarding their rights and obligations. See 65 Fed. Reg. at 33,667. 48 See id. 49 See Kathleen A. Hardee, The Gramm–Leach–Bliley Act: Five Years after Implementation, Does the Emperor Wear Clothes? 39 Creighton L. Rev. 915, 927 (2006). 50 See Smedinghoff, supra note 41, 16 Mich. St. J. of Int’l Law at 17–18; Hardee, supra note 49, 39 Creighton L. Rev. at 927–33. 51 www.ftc.gov/privacy/ (visited 5/2/2008). 52 See In the Matter of The TJX Companies, Inc., FTC C-072-3055, 5–6, available at http://www.ftc.gov/os/caselist/0723055/080327 complaint.pdf (visited 5/2/2008). 53 See id. 7. 54 See id. 8. 55 See id. at 9–11.

546

computer law & security report 24 (2008) 540–554

(b) did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to in-store networks without authorization; (c) did not require network administrators and other users to use strong passwords or to use different passwords to access different programs, computers, and networks; (d) failed to use readily available security measures to limit access among computers and the Internet, such as by using a firewall to isolate card authorization computers; and (e) failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by patching or updating anti-virus software or following up on security warnings and intrusion alerts.56 The legal basis for this complaint is Section 5(a) of the Federal Trade Commission Act, which proscribes ‘‘unfair or deceptive acts or practices in or affecting commerce.’’57 It should be noted that nothing in the complaint alleged that the company failed to follow advertised policies, which would presumably consist in a deceptive practice. Such was the case in another enforcement action based on hacking a mortgage lender’s website, where the omissions by the company were arguably inconsistent with its stated privacy policy.58 Thus, the complaint here rests on ‘‘unfairness’’, an amorphous concept that may lend itself to administrative abuse.59 The FTC complaint against TJX was resolved by an agreement containing a consent order. In that order, TJX agreed to take steps to improve its network security and to obtain biennial assessment reports from ‘‘an independent, thirdparty professional, who uses procedures and standards generally accepted in the profession.’’60 However, the agreement

specifically states that it ‘‘does not constitute an admission by [TJX] that the law has been violated..’’ An FTC complaint is not itself a finding of a legal violation, only an indication that there is a reason to believe the law has been violated. The foundation for finding a legal violation here, therefore, has still not been tested in the courts. Nevertheless, it is significant that the agency has taken steps to enforce security in this manner, and this may indeed portend greater governmental involvement in these areas outside of the particular scope of industry-specific legislation, such as Gramm–Leach–Bliley. A recent news release announcing the settlement with TJX quotes the FTC Chairman as follows: By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure, said FTC Chairman Deborah Platt Majoras. ‘‘These cases [including TJX] bring to 20 the number of complaints in which the FTC has charged companies with security deficiencies in protecting sensitive consumer information. Information security is a priority for the FTC, as it should be for every business in America.’’61 However, the limitations of FTC enforcement are significant. Twenty complaints, as noted above, is a small number in relation to the hundreds of breaches identified by websites, such as www.privacyrights.org. Given the limited resources for enforcement, agency regulation is unlikely to provide a complete solution.62 Moreover, delegation of important policymaking authority to an agency in this context has raised other structural concerns, which goes to the heart of appropriate governmental powers in a democracy.63

3.3. 56 Id. 8. It should be noted that these requirements correspond to those in PCI DSS, as discussed in Section 4, infra. 57 See id. 13. Section 5 of the Federal Trade Commission Act is codified at 15 U.S.C. x 45. 58 See Press Release, Real Estate Services Company Settles Privacy and Security Charge (May 10, 2006), at http://www.ftc.gov/ opa/2006/05/nationstitle.shtm (accessed 5/2/08) (regarding In the Matter of Nations Title Agency, Inc., FTC File No. 0523117). 59 See Michael D. Scott, The FTC, The Unfairness Doctrine, and Data Security Breach Litigation: Has the Commission Gone Too Far? 60 Admin L. Rev. 127, 135 (2008) (noting other ‘‘unfairness’’ cases and the ‘‘checkered history’’ of this concept). As a further example, an FTC complaint against Reed Elsevier and Seisint alleges, among other things, that these firms ‘‘allowed customers to use easy-to-guess passwords’’ to access customer databases that included sensitive customer information. See News Release, Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers’ Data (March 27, 2008), at http://www.ftc.gov/opa/2008/03/datasec.shtm (accessed 5/2/08). Although strong passwords are important security tools, it is hard to say that merely permitting a consumer to choose a weak one is somehow ‘‘unfair’’ to the consumer. 60 In the Matter of The TJX Companies, Inc., File No. 072 3055, Agreement Containing Consent Order, at http://www.ftc.gov/os/ caselist/0723055/080327agreement.pdf (accessed 5/2/08). A news release announcing this settlement was published March 27, 2008.

State laws

Another approach to legislation involves the states, which have been actively pursuing additional legal protections for their citizens in the matter of security and privacy. Significant state efforts include legislation to extend more general privacy protection to citizens and rules requiring the disclosure of security breaches. An overview of each of these two approaches and their relationship to payment card information security is discussed below.

3.3.1.

State privacy protection initiatives

As discussed above, the Federal government has not adopted a comprehensive approach to consumer privacy. Even segment-specific approaches, such as Gramm–Leach–Bliley, specifically recognize the possibility that states may provide greater protection if they choose.64 61

See News Release, Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers’ Data (March 27, 2008), at http://www.ftc.gov/opa/2008/03/datasec. shtm (accessed 5/2/08). 62 See Danielle Keats Citron, Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age, 80 S. Cal. L. Rev. 241, 256 (2007). 63 See generally Scott, supra note 59, 60 Admin L. Rev. at 143 ff. 64 See 15 U.S.C. x 6807(b).

computer law & security report 24 (2008) 540–554

California has taken the lead in this area by providing a broad-based statute for consumer protection, which provides in part: ‘‘A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.’’65 Moreover, businesses that deal with nonaffiliated third parties are required to contract for such protections on behalf of their customers.66 Waiver of these protections is prohibited as contrary to public policy.67 Customers injured by a security violation may institute a civil action for damages.68 Several other states have also followed a similar approach.69 Significantly, these statutes generally do not prescribe the parameters for reasonable security procedures and practices. However, some states have adopted particular limits. For example, California also proscribes merchants from requiring cardholders to write down personal information that may be stored as a condition of accepting a credit card for payment.70 California law also suggests encryption as a means to protect consumer data.71

3.3.2.

State security breach disclosure laws

In addition to imposing some general standards for security, state laws may also seek to protect consumers by requiring that firms that experience a breach in their security systems provide notification to affected consumers. More than 30 states have enacted these disclosure requirements, which vary considerably in their details.72 Here again, California is one of the leading states, and a brief look at its statute is helpful in understanding the thrust of this approach for legislating enhanced security. Under California law, ‘‘a person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.’’73 ‘‘Personal information’’ is defined to include information that is not publicly available from government records, and it includes account numbers or credit or debit card numbers.74 The disclosure requirement

547

applies, in this case, only to unencrypted information, although the statute does not provide for a particular encryption standard. The means of disclosure may include written or electronic notice to the person, or it may also include ‘‘substitute notice’’, which may include ‘‘conspicuous posting’’ on a website or ‘‘notification to major statewide media.’’75 Disclosure laws potentially provide an important consumer benefit, in that they permit consumers to take appropriate remedial action in response to a breach. One such action is the implementation of a freeze on one’s credit report, which may prevent so-called ‘‘new account fraud’’ that may occur as a result of stolen personal information.76 Moreover, they provide another important function that is potentially even more significant: they focus public attention on the information security practices of firms and thus potentially impact the value of consumer goodwill associated with these firms. To the extent that the marketplace is sensitive to security threats, consumers may choose to avoid firms with poor security reputations. As discussed in Section 4, below, the payment card industry is very concerned about this possibility. The focus on disclosure and its attendant consequences reinforce the market-based incentives that ultimately appear to be a very important influence favoring strong security protections. However, disclosures also may entail significant costs for business.77

3.3.3.

Difficulties with state regulation

In a Federal system, state laws present an opportunity to for citizens to enact laws that reflect their particular values and priorities. As Justice Brandeis famously stated, ‘‘It is one of the happy incidents of the Federal system that a single courageous state may, if its citizens choose, serve as a laboratory.and try novel social and economic experiments without risk to the rest of the country.’’78 However, the modern technological environment makes it comparatively difficult to constrain the impact of state regulation to enterprises within the state.79 Firms with customers in a state with particular privacy laws may face difficult questions in determining whether they are subject to these laws, even though they are not physically present in the jurisdiction. Moreover, firms with operations in multiple states, which may include networks that connect those operations, may be practically required to comply with the most stringent of state laws.80 However, as

65

See Cal. Civil Code x 1798.81.5(b). See id. x 1798.81.5(c). 67 See id. x 1798.84(a). 68 See id. x 1798.84(c). 69 See generally Smedinghoff, supra note 41, at 18–19. 70 See Cal. Civ. Code x 1747.08, which is part of the ‘‘Song–Beverly Credit Card Act’’. See Florez v. Linens ’N Things, Inc., 108 Cal. App. 45h 447, 450 (Cal. App. 2003). 71 See Cal. Civ. Code x 1798.82(a). 72 See, e.g., Ian C. Ballon, A Legal Analysis of State Security Breach Statutes, 903 PLI/Pat 135 (June–July 2007) (noting differences that include the triggering event, the scope of protected information, exemptions from disclosure, and the form of notice, among others); Paul M. Schartz & Edward J. Janger, Notification of Data Security Breaches, 105 Mich. L. Rev. 913 (2007). 73 Cal. Civ. Code x 1798.82(a). 74 See id. x 1798.82(e),(f). 66

75

See id. x 1798.82(g). See Kristan T. Cheng, Note, Identity Theft and the Case for a National Credit Report Freeze Law, 12 N.C. Banking Inst. 239, 240 (2008). 77 See Michael E. Jones, Data Breaches: Recent Developments in the Public and Private Sectors, 3 I/S: A Journal of Law and Policy for the Information Society, 555, 576–80 (Winter 2007–2008) (summarizing various cost estimates, which range from about $50 to more than $300 per breached record). 78 New State Ice Co. v. Liebman, 285 U.S. 282, 311 (1932) (Brandeis, J., dissenting). 79 See Edward A. Morse & Ernest P. Goss, Governing Fortune: Casino Gambling in America 143–44 (2007) (addressing concerns about the Internet’s impact on the conventional wisdom of Justice Brandeis). 80 See Ballon, supra note 72, at 137–38. 76

548

computer law & security report 24 (2008) 540–554

discussed in Section 4 below, similar conditions may also affect private ordering when competing obligations imposed by multiple vendors are not harmonized.

3.4.

Tort claims

Courts may also contribute to enforcing security obligations through developing legal theories to exact recoveries from those who fail to exercise due care over information entrusted to them. Two examples include tort81 and bailment.82 To date, neither theory has proven very successful in bringing about recoveries against the industry, but the possibility of future success under an expanded version of a common law theory is undoubtedly affecting industry policies.83 Tort theories have been raised by several legal commentators as a possible means to induce appropriate care by those with consumer information.84 By allowing a recovery of damages, the tort claim may effectively force those who maintain inadequate security to internalize the costs associated with their breach. However, various legal barriers have been raised to this approach. Consumer standing based on actual injury is one such problem.85 For example, in Bell v. Acxiom Corporation,86 a consumer filed a complaint seeking damages against a firm that stored personal, financial, and company data. The firm’s computer was hacked and client files were compromised, giving rise to a class action lawsuit. The plaintiff alleged that as a result of the breach, she suffered an increased risk of unsolicited e-mail and identity theft. However, the court found that neither of these risks was sufficient to cause her to suffer concrete damages sufficient to satisfy the standing requirement.87 Thus, consumer protection rules that limit liability for unauthorized charges also contribute to a litigation bar that protects the industry from a tort claim. In another recent case, Pisciotta v. Old Nat. Bancorp,88 the Seventh Circuit rejected the limited approach to standing adopted in Bell. However, it nevertheless concluded that plaintiffs who had alleged that they had incurred costs for credit monitoring as a result of a security breach would not have a compensable claim under Indiana law. The court based its decision in part on the fact that the Indiana data breach 81 See, e.g., Bell v. Acxiom Corporation, 2006 WL 2850042 (E.D. Ar. October 3, 2006); In re TJX Companies Retail Sec. Breach Litigation, 524 F.Supp.2d 83, 90 (D. Mass., 2007). 82 See Richardson v. DSW, Inc., 2005 WL 2978755 (N.D. Ill 2005). 83 See text at note 103, infra. 84 See, e.g., Citron, supra note 49, 80 S. Cal. L. Rev. 241, 261–67 (addressing proposals by several commentators); Vincent R. Johnson, Data Security and Tort Liability, 11 J. Internet L. 22 (2008); Michael L. Rustad & Thomas H. Koenig, Extending Learned Hand’s Negligence Formula to Information Security Breaches, 3 I/S: J. L. & Pol’y for Info. Soc’y 237 (2007). 85 See Scott, supra note 59, 60 Admin L. Rev. at 154–59 (discussing cases and a report by the United States General Accounting Office discussing the speculative nature of consumer injury in security breaches). 86 2006 WL 2850042 (E.D. Ar. October 3, 2006). See also Ambrose, et al., Survey of Significant Consumer Privacy Litigation in the United States in 2007, 63 Bus. Law. 653, 653 (2008). 87 See id. (citing numerous other cases reaching similar results). 88 499 F.3d 629 (7th Cir. 2007).

notification statute did not provide a private cause of action, and that in the absence of ‘‘a single case or statute, from any jurisdiction, authorizing the kind of action’’, the court refused to create a ‘‘novel tort claim’’ in this context.89 The economic loss doctrine, which limits the scope of recoverable damages in tort to personal injury or property damage, may also serve as a bar to recoveries based on negligence or strict liability.90 In recent litigation concerning the TJX Companies data security breach, the economic loss doctrine was raised by TJX and its acquiring bank in response to a claim for damages by issuing banks.91 The issuing banks raised a tort claim based on negligence, seeking damages measured by the costs they incurred for credit cards compromised by hackers who accessed the TJX computer network. However, the court held that those damages were barred by the economic loss doctrine.92 Significantly, the court also rejected an argument that property damages had occurred because cards had to be replaced. According to the court, physical damage was required to satisfy the property damage exception, not merely intangible economic damages.93 As the court in TJX recognized, the rationale of the economic loss doctrine is ‘‘partly that ‘a commercial user can protect himself by seeking express contractual assurances concerning the product (and thereby perhaps paying more for the product) or by obtaining insurance against losses.’’’94 Ironically, the issuing banks were denied the opportunity to present a contract claim due to the absence of privity of contract between them and the merchant. As discussed below, the complex web of legal relationships within the various independent actors in the payment card industry can present formidable challenges to direct contractual arrangements in this context. It should be noted that TJX ultimately settled out of court with the issuing banks by offering to pay approximately $40.9 million.95 It also settled with consumers who brought a class action lawsuit by agreeing, among other things, to providing credit monitoring for certain customers, vouchers of up 89

See id. at 636–40. For background on the economic loss limitation, see, e.g., Boggs, et al., Evolution of the Economic Loss Doctrine in Information Age Disputes Involving Electronic Data Storage Products, 73 Defense Counsel J. 129 (2006) (articulating purposes of economic loss doctrine); Steven C. Tourek, et al., Bucking the ‘‘Trend’’: The [UCC], the Economic Loss Doctrine, and Common Law Causes of Action for Fraud and Misrepresentation, 84 Iowa L. Rev. 875 (1999) (discussing fraud and misrepresentation exceptions to doctrine). 91 In re TJX Companies Retail Sec. Breach Litigation, 524 F.Supp. 2d 83, 90 (D. Mass. 2007). 92 See id. at 90. 93 See id. (following Penn. State Employees Credit Union v. Fifth Third Bank, 398 F.Supp.2d 317, 330 (M.D. Pa. 2005)). It should be noted that Penn. State Employees Credit Union was recently reversed by the Third Circuit. However, the significance of this result is questionable, given that it dealt with an earlier version of the Visa rules. See R. Christian Bruce, Retailer, Bank Had Duties Under Visa Rules to Guard Credit Card Information, 13 BNA Electronic Commerce and Law Report 1012 (July 23, 2008). 94 Id. (citation omitted). 95 The TJX Companies, Inc., Form 8-K, November 29, 2007, available at http://www.sec.gov/Archives/edgar/data/109198/0000950 13507007247/b67665tje8vk.htm (accessed 5/6/08). 90

computer law & security report 24 (2008) 540–554

to $30 for those who incurred costs, with a second $30 voucher if additional costs can be proven (including lost time at $10/h); sale offerings of its merchandise for customers, and commitments to minimize the likelihood of intrusions in the future.96 Although particular assessments of legal risks underpinning these settlements are not entirely clear, there is a business advantage in obtaining a certain and predictable resolution and in removing a cloud of litigation that could affect shareholder and customer perceptions for years to come. Concerns about additional government regulation may also be considered. At least one state has enacted legislation to address the concerns of issuing banks in response to the TJX security breach. Effective August 1, 2007, Minnesota businesses that accept payment cards are prohibited from retaining customer information longer than 48 h after completing a transaction.97 Effective August 1, 2008, Minnesota law will also expressly permit an action for damages to recover ‘‘costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders.’’98 Other states considered but did not enact similar legislation.99 It remains to be seen whether this legislation will indeed protect consumers, and how such legislation will impact the payment card industry. It potentially injects the threat of significant consequential damages into data security breaches occasioned by a merchant’s lack of security.100 Judge-made doctrines that prevent recovery may also be changed or applied differently by judges in future cases. If that should occur, the industry may well seek legislative limits to contain liability exposure. The proper standard of care for liability is a significant issue in the context of tort liability. If left to judicial determination, this standard is likely to be inconsistent and potentially difficult for business to apprehend. In the meantime, the industry appears to be taking its own steps to address security concerns through private ordering. Industry practices may ultimately provide a standard of care that will emerge as the benchmark for those who deal with payment card information.

4. Private ordering through standards: PCI DSS Legal authority is not the only means to regulate privacy and security. As legal scholars have recognized, it is possible for other norms of behavior to develop within particular social contexts with only limited, if any, state intervention.101 The 96 The TJX Companies, Inc., Form 8-K, September 21, 2007, available at http://www.sec.gov/Archives/edgar/data/109198/0000950 13507005786/b66967txe8vk.htm (accessed 5/6/08). 97 See Minn. Stat. Ann. x 325E.64(b). 98 See id. x 325E.64(c). 99 See Donald G. Aplin, TJX Breach Prompts Six States to Consider Merchant Liability; Minnesota Clears Measure, 12 BNA Electronic Commerce Report 473, May 23, 2007. 100 See Richard A. Epstein and Thomas Brown, Cybersecurity in the Payment Card Industry, 75 U.Chi. L. Rev. 203, 221 (2008). 101 See, e.g., Gralf-Peter Calliess, Jorg Freiling, & Moritz Renner, Law, the State, and Private Ordering: Evolutionary Explanations of Institutional Change, 9 German L.J. 397, 403–05 (2008).

549

private law of contract may provide a basis for mutual agreement among members of a network or other social group, thus allowing participants to govern themselves. In this sense, legal institutions may become the means of enforcement, whether directly or indirectly (as in the case of an agreement reached through private arbitration, which displaces judicial machinery of the state for the initial decision making process but may ultimately depend on that machinery to enforce an arbitration award). Non-legal sources, such as codes of conduct or even market expectations, may also be effective, and these may depend on the power of reputation, rather than law.102 The payment card industry (PCI) has recognized the potential for adverse market impacts from insecurity that threatens the consumer side of its two-sided marketplace. Not only may insecurity reduce consumer transactions (and the associated revenue), it may also provide an additional threat of government intervention. PCI leader Visa has stated the following in a recent filing with the U.S. Securities and Exchange Commission: We and our customers, merchants, and other third parties store cardholder account information in connection with our payment cards. In addition, our customers may use third-party processors to process transactions generated by cards carrying our brands. Breach of the systems on which sensitive cardholder data and account information are stored could lead to fraudulent activity involving our cards, damage the reputation of our brands and lead to claims against us. .If we are sued in connection with any data security breach, we could be involved in protracted litigation. If unsuccessful in defending such lawsuits, we may be forced to pay damages and/or change our business practices or pricing structure, any of which could have a material adverse effect on our revenue and profitability. In addition, any damage to our reputation or our brands resulting from an account data breach at one of our customers or merchants or other third parties could decrease the use and acceptance of our cards, which could have a material adverse impact on our payments volume, revenue and future growth prospects. Finally, any data security breach could result in additional regulation, which could materially increase our costs.103 As can be seen from the above statement, both legal and non-legal considerations are present. In an environment of legal uncertainty, legal claims presented through the courts have the potential to impose significant costs, regardless of whether the case concludes in legal liability. Moreover, the public attention from such claims may also inject additional costs through regulation imposed by government, as opposed to that designed by the industry itself.

102 See id. at 404. (‘‘The threat of reputation-losses in markets that are ‘value-sensitive’ makes defective behavior unlikely.’’) 103 VISA Form S-4, supra note 1, at 19. See also id. at 19–20. (‘‘If fraud levels involving our cards were to rise, it could lead to reputational damage to our brands, which could reduce the use and acceptance of our cards, or to greater regulation, which could increase our compliance costs.’’)

550

computer law & security report 24 (2008) 540–554

Table 1 – PCI DSS Requirements and Categories Requirement

Description

Build and maintain a secure network. 1 2

Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data. 3 4

Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management program. 5 6

Use and regularly update anti-virus software. Develop and maintain secure systems and applications.

Implement strong access control measures. 7 8 9

Restrict access to cardholder data by business need to know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data.

Regularly monitor and test networks. 10 11

Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes.

Maintain an information security policy. 12

Maintain a policy that addresses information security.

See https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf (visited 5/15/08).

For this reason, industry leaders have cooperated to develop their own standards for security, and these are known as the Payment Card Industry Data Security Standards (PCI DSS). As Visa has explained: In a cooperative industry effort in 2006, Visa U.S.A. co-founded the Payment Card Industry Data Security Standards (PCI DSS) Council, an independent council that established security standards to protect cardholder data and to prevent fraud. In December 2006, Visa U.S.A. announced the introduction of the PCI Compliance Acceleration Program (PCI CAP) for merchants and VisaNet processors. The program uses both financial incentives and fines to encourage merchants to comply with the PCI industry standards.104 Thus, through the combination of adopting industry standards and providing a system of private incentives and penalties within the industry, as well as additional programs for compliance for entities associated with particular card brands, the industry is seeking to address its own data security needs.

4.1.

The standards

The PCI data security standards are called ‘‘requirements.’’ When the PCI Council was formed as a non-profit entity, each of the council’s primary backers (i.e., major card issuers) already had in place their own data security requirements. The Council compiled a unified set of standards, presumably working through an analysis and synthesis of what was already in place in each card issuer organization. Although a form of ‘‘due process’’ was followed by the Council in

104

Id. at 214.

arriving at the standards, concerns remain among the market players, especially merchants and banks, that the feedback from them on earlier drafts of the standards was not fully addressed. New updated standards are expected in October 2008, which may address some of these concerns.105 Version 1.1 of the standards, released in September 2006, has 12 major requirements divided into six categories. Table 1 presents these requirements and categories. Each requirement has sub-requirements and some have sub-sub-requirements. For example, Requirement 3, regarding the protection of stored cardholder data, provides several sub-requirements, which range from ‘‘keep[ing] cardholder data storage to a minimum’’ to ‘‘rendering cardholder data unreadable’’. Particulars regarding encryption and key storage are discussed as a means of making data unreadable, but businesses unable to encrypt, whether due to ‘‘technical constraints or business limitations’’, are allowed to adopt ‘‘compensating controls’’ designed to mitigate the associated risks.106 Although a complete analysis of the particulars of PCI DSS is beyond the scope of this article, some general observations about the standards are in order. The standards are neither linear nor sequential; they vary in nature, scope, and granularity. Some standards (e.g., #1, maintain firewall and #4, encrypt transmission) are prescriptive while others (e.g., #3, protect stored data, and #6, develop and maintain secure

105 See Press Release, May 14, 2008 available at https://www. pcisecuritystandards.org/pdfs/05-14-08.pdf (visited 5/15/08). These updated standards will ‘‘enhance the clarity of its technical requirements, offer improved flexibility and address new and evolving risks and threats.’’ However, the updated standards will ‘‘not include any new core requirements beyond the existing 12 in place.’’ 106 See Appendix B, available at https://www.pcisecuritystandards. org/pdfs/pci_dss_v1-1.pdf (visited 5/15/08).

computer law & security report 24 (2008) 540–554

systems) are normative in the sense that they leave the particular means of implementing protection and security to the entity responsible for compliance. Standard 7, ‘‘business need to know’’, contains significant ambiguity and thus accommodates potential variation depending on the business model of the particular user. Finally, the numerical order of the standards does not bear out any significance. For example, the final requirement (#12, policy) sets the tone of everything that is expected and yet, it is the very last thing on the list. Taken as a whole, a systemic view of the requirements is shown in Fig. 2. In interpreting the overview in Fig. 2, one can easily surmise that protecting stored and transmitted data is not an esoteric venture. Given today’s integrated systems, often based on an enterprise resource planning (ERP) platform and linked inter-organizationally, it is difficult to pick data security as a sole objective. The entire spectrum of systems and processes, databases, users, and communication links are impacted.107 Further, what makes sense for PCI compliance may also be a good case for implementation across all critical systems. The situation here seems to be far different than that offered by the Sarbanes–Oxley Act of 2002, where Section 404 requirements are limited to those processes that impact financial results and their disclosure – a less comprehensive sphere of activity than one affecting all of the entity’s systems and processes.

4.2.

Affected merchants

The PCI DSS affect merchants – the authorized acceptors of credit cards. The industry has classified merchants into four levels and for each level, compliance with the requirements is articulated separately, as shown in Table 2.108 One key rationale for classifying merchants is to balance the cost of compliance with the perceived value of such compliance. This is a classic business-size problem encountered in almost all cases of compliance. For example, regarding the Sarbanes–Oxley Act, the debate is still on whether to require smaller public companies to comply in the same manner as their larger counterparts.

4.3.

Enforcement issues

The promulgation of standards by a separate standard-setting body, i.e., the PCI Security Standards Council (PCI-SSC) and a determination of who is affected by such standards are only initial steps in the process. Those standards must ultimately be adopted and implemented among the various participants in the payment card network. As suggested in Table 2, below, some form of validation or certification is helpful in order to ensure compliance with the standards. These two aspects of enforcement are discussed briefly below.

4.3.1.

Of course, PCI DSS is not the only broadly based standard available for information security. Others may include those promulgated by the International Standards Organization (e.g., ISO 17799 or 27001) or the National Institute of Standards and Technology. See Scott, supra note 59, 60 Admin L. Rev. at 176–77 (mentioning these and other alternatives). 108 These classifications originated in Visa USA definitions. See www.gfi.com (accessed 5/14/08).

Adoption and implementation: the limits of contract

The PCI-SSC describes itself as ‘‘an open global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection.’’109 Neither the PCI-SSC nor its participating organizations110 have any independent legal authority to enforce those standards. Indeed, implementing the standards is not even a condition of membership for a participating organization.111 Contract is the operative means for implementing PCI DSS, and those contractual relationships extend among various members of the payment card network, rather than to the PCI-SSC or another common umbrella organization. Thus, each payment card brand (e.g., Visa, Mastercard, Discover, American Express) will have its own contractual relationships with members of its payment card network. Those contracts will require compliance with PCI DSS and they will define the consequences of noncompliance, such as fines, penalties, or enhanced transaction charges. Compliance is thus a matter of economic cooperation among the members of the network, which is induced through contract. The scope of direct control over the adoption of security standards, however, depends on those with whom there is privity of contract. This limitation was made clear in the TJX litigation, where issuing banks sought to recover from Fifth Third Bank, the acquiring bank for TJX, based on a theory that they were third-party beneficiaries of contracts between others. In particular, these contracts were between TJX and Fifth Third (i.e., merchant and acquiring bank) and between Fifth Third and Visa and Mastercard, respectively (i.e., acquiring bank and card payment network). Although both of these contracts required the merchant and/or the acquiring bank to maintain security, the issuing bank was not a party to either contract, and thus could not claim damages based on breach. Under the applicable state law, the parties to those contracts could determine whether they intended to benefit a nonparty; unfortunately for the issuing banks, the court found no such intention.112 Merchants, such as TJX, who lack a direct contractual relationship with the payment card company, such as Visa or Mastercard, have a contractual relationship with their acquiring bank. Acquiring banks are induced to include requirements for security in the hands of their merchant customers due to threats of fines and penalties imposed by the payment card company as a result of noncompliance. The ultimate penalty, in theory, would be suspension or removal from the payment card network. In the case of TJX, the acquiring bank, Fifth Third Bank, faced fines and penalties from Visa due to the noncompliance of its merchant customer. According to a settlement 109

See https://www.pcisecuritystandards.org/ (accessed 5/7/08). As of May 7, 2008, there are 439 participating organizations (including those with pending applications), which include various merchants, banks, and service providers in the payment card industry. See https://www.pcisecuritystandards.org/join/ participating_organizations.htm (accessed May 7, 2008). 111 See https://www.pcisecuritystandards.org/pdfs/Participating_ Organization_Application.pdf (accessed May 7, 2008). 112 See In re TJX Companies Retail Security Breach Litigation, 524 F. Supp.2d 83, 88–90 (D. Mass, 2007). 110

107

551

552

computer law & security report 24 (2008) 540–554

Policy (12) Logical (8)

Physical (9) Boundary (1) System/ Application development (6) Data tran

smission

Testing (11)

System configuration (2)

Access/ Authentication (7)

(4)

Data protection (3)

Monitoring (10) Vulnerability management (5)

Fig. 2 – A systemic overview of the PCI DSS.

agreement, which was made public through a Form 8-K disclosure to the SEC by TJX,113 Visa agreed that ‘‘it will suspend finds pending, but not yet imposed and collected, on Fifth Third arising from its alleged failure to ensure TJX’s compliance with Visa data security requirements or as a result of TJX’s alleged failure to be fully PCI DSS compliant by September 30, 2007 (which was Visa’s deadline for TJX’s PCI DSS compliance)..’’ TJX also obtained relief in the form of reduced interchange fees, and Fifth Third Bank would also receive the elimination of fines, including a $500,000 ‘‘Egregious Violation’’ fine.114 Incorporating PCI DSS standards into contractual provisions presents some practical legal issues for acquiring banks, merchants, and service providers who may be involved in functions affecting the payment card network. For example, to the extent a long-term contractual relationship already exists, there is a practical issue of how to invoke new obligations, which had previously not been contemplated. An acquiring bank may also face challenges from interpretational issues that may arise. Given that the acquiring bank may function for more than one payment card company, and that it has a separate contract with each company, the security practices of the bank may be subject to conflicting interpretations or commitments. Uncertainties in the requirements that payment card companies may impose may counsel against the bank undertaking a consultative role to assist customers in interpreting compliance issues. Moreover, the bank may also be subject to other obligations, such as those imposed by Gramm–Leach–Bliley, which may create additional possibilities for conflict. The absence of a single, authoritative source for these standards adds some complexity, which the PCISSC may be called upon to resolve in order to maintain an appropriate private ordering. 113

See The TJX Companies, Inc., Form 8-K, November 29, 2007, available at http://www.sec.gov/Archives/edgar/data/109198/ 000095013507007247/b67665tje8vk.htm (accessed 5/6/08). 114 See id., x 6.

Another significant issue involving adoption and implementation involves the issue of small merchants. The technical expertise and costs associated with PCI DSS compliance present a formidable barrier to small businesses. Although insecure practices by these merchants may affect relatively few customers that insecurity has a potential impact on these consumers. Disclosure requirements, to the extent applicable to small businesses, would not be expected to garner the type of media attention that might otherwise inhibit card usage and thus harm the card industry. However, the threat of direct negative impacts on small businesses from their customers may nevertheless provide some incentive to enhance security, and to obtain help through third-party consultants and service providers. Ultimately, however, a cost/benefit assessment must be undertaken to evaluate whether participation in the payment card network is desirable and cost-effective for small business participants.

4.3.2.

Monitoring security assessment

Securing data in connection with payment card networks also requires monitoring, which is an integral part of the control activities that accompany an appropriate security framework.115 External threats and internal vulnerabilities must be addressed on an ongoing basis in order to provide adequate security.116 Accordingly, as noted above, Requirements 9 and 10 of the DSS require monitoring and testing. A practical question here involves the matter of who assesses compliance? The PCI-SSC answers this question by providing two tracks. First, it provides a mechanism for training and certifying Qualified Security Assessors (QSAs), third parties who perform on-site evaluations for purposes of 115 See Vasant Raval & Ashok Fichandia, Risks, Controls, and Security 69 (Wiley, 2007). 116 See id. at 69–70. PCI-SSC recently issued a statement on malware threats, which emphasizes the need to implement PCI DSS and to maintain full compliance in order to prevent these threats. See https://www.pcisecuritystandards.org/pdfs/04-28-08_ malware_statement.pdf (visited 5/7/08).

computer law & security report 24 (2008) 540–554

553

Table 2 – Definition of merchant levels and their compliance requirements Level 1

2 3 4

Definition, based on annual volume of transactions

Compliance requirements

Merchants with more than six million card transactions; also may include smaller merchants from whom card data have been compromised. Merchants with between one and six million card transactions. Ecommerce Merchants with between 20,000 and one million card transactions. All other merchants.

Annual on-site assessment by a certified assessment firm and quarterly network scans.

monitoring and reviewing compliance with PCI DSS.117 Second, for smaller merchants and service providers who are not required to undergo an on-site assessment, it provides a self-assessment questionnaire, which is aimed at helping these organizations meet the standards.118 Self-assessment questionnaires also vary depending on the type of merchant processing system available in the business, so that appropriate questions may be tailored to meet the particular security risks in different business models.119 The training and credentialing function performed by PCISSC potentially creates greater uniformity with regard to the implementation of the data security standards. Although each of the founding payment card brands will recognize certification by a QSA, some problems of interpretation may nevertheless remain. As the PCI-SSC website recognizes, ‘‘Organizations engaging QSAs.to validate their compliance with the PCI DSS will continue to follow policies and guidelines established by the individual payment brands.’’120 Independent approaches among the various card brands are likley to generate inconsistency – and potential conflicts – in this context.

4.3.3.

Costs and benefits

Despite some difficult allocation issues involved in measuring the cost of compliance, quantified costs of achieving compliance are far more concrete than the measurement of value from additional security. Most value measurements are intangible, and they are critical for sustaining an organization. The industry has focused on sustaining the ability to do chargecard-based transactions, protecting customer perceptions about their security (and perceptions about the associated merchants and payment card brands), and facilitating cardbased business over the Internet, as some of the intangible values it will protect through PCI DSS. 117

For training and requirements, see https://www.pcisecurity standards.org/training/qsa_training.htm (visited 5/7/08). Training sites include international venues, such as Warsaw, Poland; Sydney, Australia; and Toronto, Canada. See id. A certification is also available for Approved Scanning Vendors (ASVs.) See https:// www.pcisecuritystandards.org/programs/asv_program.htm (visited 5/7/08). 118 See https://www.pcisecuritystandards.org/tech/saq.htm (visited 5/7/08). 119 See PCI DSS Self-Assessment Questionnaire version 1.1 (February 2008), available at https://www.pcisecuritystandards.org/ pdfs/instructions_guidelines_v1-1.pdf (visited 5/15/08). 120 See https://www.pcisecuritystandards.org/programs/ (visited 5/7/08).

Annual self-assessment and quarterly network scans. Annual self-assessment and quarterly network scans. Annual self-assessment and annual network scans (often with particulars to be determined by acquiring banks).

However, by limiting the extent of required compliance with PCI DSS, the industry has effectively decided to leave some customers with less protection, or perhaps no protection at all. Significantly, the cost–benefit trade-off for consumers has been made by the industry through private ordering, rather than through law. From a consumer’s perspective, this lack of protection can also be difficult to quantify. To the extent that PCI DSS compliance is not publicly disclosed by merchants, it may be impossible to know the extent of such protection in any particular case.

5.

Future trends and challenges

The payment card industry has grown and thrived in an environment of technological change. The problem of unauthorized transactions, which threatened not only the consumer but also industry profits, was addressed long ago by law in a consumer-friendly manner. However, the more recent problem of unauthorized disclosure of consumer payment card data continues without a solid legal resolution. Economic self-interest from within the industry has influenced the development and implementation of standards designed to enhance security through private ordering. However, threats of regulatory sanction, whether through existing channels or through expanded regulatory intervention, coupled with threats of legal liability from other sources, including tort law, have also shaped these developments. Moreover, state laws requiring disclosure of data security breaches appear to have reinforced the effectiveness of market-based incentives for additional protections to develop. The state of affairs described above is certainly in flux, as the significance of data security continues to develop in this context. There are many possible issues to be addressed, and a few of these are identified below.  Will governments continue to support the private ordering model in this context? Can an effective legal framework be crafted to address technological change and developmental threats in varying business environments?121  Would the gaps in consumer protection identified above (e.g., especially those who do business with smaller 121 See generally Vasant Raval & Ashok Fichadia, Risks, Controls, and Security 359–60 (Wiley, 2007) (contrasting prescriptive, hybrid, and minimalist approaches to digital signature laws).

554

 

 

computer law & security report 24 (2008) 540–554

merchants) be significantly improved by additional legal intervention? Who would ultimately bear those costs? Should merchants be required to disclose PCI DSS compliance to consumers? What role will emerging legal standards accord to private enforcement of security standards, such as through the imposition of liability on those who fail to protect customer data? Will PCI DSS have some role here in defining the standard of care, which ultimately forms the basis for triggering liability? Will QSAs become another target for recovery (i.e., through malpractice) in the event a breach occurs in a network they assessed? How do liability concerns for significant payment card data security breaches impact broader issues of risk assessment? In particular, how will auditors take into account risks of noncompliance in certification of financial statements? Will they defer to QSAs?

 How will boards of directors and corporate executives take PCI DSS compliance into account in designing responses for securing corporate assets?  How will PCI DSS affect the security standards among other payment systems or online virtual worlds (and vice versa)?  Given global interaction among payment card systems, including service providers, will global standards for interpretation and enforcement emerge? If not, how will firms cope with competing demands?

Professor Edward A. Morse ([email protected]) holds the McGrath North Mullin & Kratz endowed chair in business law at Creighton University School of Law. Dr. Vasant Raval (vraval@ creighton.edu) is Professor of Accounting at Creighton University College of Business Administration and the co-author of Risks, Controls, and Security (Wiley, 2007).