Credit Card Security: Pay Now or Pay Later

By Jeffrey D. Knowles and Suzanne F. Garwood

Theft of consumers’ private, personal financial information can take any one of a number of forms. On the low-tech end of the spectrum, there is “dumpster diving,” where the thief literally rummages through your trash looking for personal information. More sophisticated thieves engage in “phishing” scams, posing as financial institutions or other depositories of personal information, whose trust they leverage to trick you into revealing your private information. Even more sophisticated thieves use “wardriving,” a tactic that could actually involve a thief driving in a car with a laptop and an antenna looking to access unsecured wireless networks. Wardriving is suspected to be the tactic used in the now infamous theft of approximately 45 million credit and debit card numbers from T.J. Maxx, Marshalls and other retailers owned by parent company TJX.

Reports suggest that TJX retailers were vulnerable to attack because their data security systems were not compliant with the Payment Card Industry’s data security standard (the PCI Standard). TJX’s arguable failure to invest in an adequate defense against data security breaches has already cost it millions in terms of lost earnings and will continue to cost it in terms of lost consumers and potential civil litigation.

THE PCI STANDARD
The PCI Standard is a uniform system designed by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International to protect stored payment account information and minimize risks of unauthorized intrusion or account compromise. The payment brands all work together to develop and maintain the Standard, via input from retailers and other stakeholders (such as financial institutions) in the payment industry. The Standard is comprised of twelve requirements divided into six topical areas:

Build and Maintain a Secure Network

• Requirement #1 - Install and maintain a firewall configuration to protect cardholder data.
• Requirement #2 - Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Stored Cardholder Data

• Requirement #3 - Minimize the risk to cardholder data by not storing it unless absolutely necessary, truncating cardholder data if a full primary account number is not needed and not sending primary account numbers in unencrypted e-mails.
• Requirement #4 - Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify and divert while in transit.

Maintain a Vulnerability Management Program

• Requirement #5 - Retailers should use and regularly update anti-virus software or programs and develop and maintain secure systems and applications.
• Requirement #6 - Use the most recently released, appropriate software patches to protect against exploitation by employees, external hackers and viruses.

Implement Strong Access Control Measures

• Requirement #7 - Ensure that only authorized personnel can access critical data.
• Requirement #8 - For those authorized persons, assign a unique identification, which retailers can track back to that authorized user.
• Requirement #9 - Restrict any physical access to cardholder data.

Monitor and Test Networks

• Requirement #10 - Track and monitor all access to network resources and cardholder data via system activity logs.
• Requirement #11 - Frequently test systems, processes and customer software to ensure that security is maintained over time.

Maintain an Information Security Policy

• Requirement # 12 - Establish a strong security policy to set the security tone for the whole company and inform employees about what is expected of them and make them aware of the sensitivity of the data and their responsibilities for protecting it.

Each merchant doing business with one of the identified payment brands must file a PCI DSS compliance report. There isn’t a specific governing body that enforces the Standard. Rather, each payment brand individually administers the Standard via contractual relationships with each merchant and enforces penalties as provided under those contracts. Some perceive this lack of a universal set of penalties for a major security breach as a vacuum that federal or state laws soon will fill.

IF YOU DON’T BUILD IT, THEY WILL LEAVE
In April, Javelin Strategy & Research released a study finding that consumers would stop shopping at stores that had data breaches, with many indicating that they would assume the breach was the fault of the retailer. A McAfee study found that one-third of companies surveyed believed that a major security breach could put them out of business.

If these speculative concerns about potential loss of customers and business aren’t enough to convince retailers to invest in data security, Minnesota’s new data security law may be the kicker.

MINNESOTA’S NEW DATA SECURITY LAW
Minnesota’s governor recently signed into law Bill No. HF 1758. To perhaps oversimplify, the law makes it illegal for any person or entity conducting business in Minnesota that accepts an access device in connection with a transaction to retain certain identifying information subsequent to the authorization of the transaction (or for PIN debit transactions, more than 48 hours after authorization).

If a person or entity violates the above prohibition and there is a breach of the person’s or entity’s security system, then that person or entity must reimburse the financial institution for the costs of reasonable actions it undertakes to protect the information of its cardholders or to continue to provide services to cardholders.

Minnesota may have been the first state to get this law on its books, but it will probably not be the last. Texas introduced a similar bill that did not pass this term, and Massachusetts currently is considering similar legislation.

SECURING PAYMENT CARD INFORMATION
Retailers that want to stay PCI compliant and avoid damages in the form of loss of customers, harm to reputation and possible future statutory damages in Minnesota, should evaluate their current data security systems. PCI publishes a helpful self-assessment questionnaire on their website. In addition, the FTC recently published a brochure, entitled Information Compromise and Risk of Identity Theft: Guidance for Your Business, outlining five key steps:

Take Stock - Know what consumer information you have and who has access to it. Identify the data that you collect, know where you store it and know what you share with service providers and where they store it.

Scale Down - Determine whether you really need all the information that you gather. Ask whether you need to keep records for completed transactions and if you use all of the pieces of data that you collect.

Lock It - Encryption, firewalls and other IT defenses are only part of the solution. Look also at the physical security of your business and extensively train employees regarding your security plan.

Pitch It - Decide how to dispose of your information in a secure and timely fashion. Determine how long you need to retain information and then schedule disposal of it.

Plan Ahead - Develop a plan for what to do when your security plan fails and you have a data breach.

Understanding your obligations under PCI Data Security Standard agreements as well as applicable state and federal laws is only the first step. Retailers must constantly reassess their security protocols, network security and emerging data security threats. Vigilance is costly and time-consuming, but its impact on business operations is insignificant when compared to the cost and negative publicity of a data breach.

Jeffrey D. Knowles manages Venable LLP’s Government Division and heads the firm’s Advertising and Marketing Practice Group. Knowles is the immediate past chairman of the ERA Board. He can be reached at (202) 344-4860. Suzanne F. Garwood is an attorney with Venable. She can be reached at (202) 344-8046.