LEHI, Utah — With three states — Minnesota, Nevada and Washington — already having passed laws requiring retailers to be compliant with PCI (payment card industry) data security standards (DSS), expect a card data security law to be passed by the federal government, said Heather Mark, senior vice president, market strategy, ProPay, a payment card processor here.
“It's not if but when the federal government passes a law,” said Mark, speaking earlier this month during a workshop at the Food Marketing Institute Show in Las Vegas. The House of Representatives has already passed a security bill, she noted. “Congress recognizes that the payment system is integral to our economy and that the economy is dependent on the security and integrity of the system,” she said.
In March, she added, Congress held hearings looking at the effectiveness of the PCI standard and examined the connection between credit card fraud and terrorist activity. “Expect to see [legislation] coming, though not necessarily soon,” she said.
The courts are also looking at the PCI standard and trying to determine whether it represents a “reasonable” level of security for consumer card data, Mark said.
The PCI DSS, a set of requirements for payment card data security, was developed by the card brands, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. The standards, which retailers are expected to adopt, are now overseen by the PCI Security Standards Council, Wakefield, Mass., which is releasing the next version of the standards in October.
While waiting to see what the federal government and courts decide to do about data security — whether they accept the PCI standard or require something more — retailers can take steps to prepare themselves, Mark said. Not having sensitive card data in their possession is a good place to start. She recommended using vendors that can encrypt data from the point of swipe and/or tokenize it “so that you never have the data in your environment.”
She also suggested doing “spring cleaning” with in-house data to determine whether it's necessary to hold onto that data, and conducting a risk assessment on practices like allowing USB transfers.
Mark is a believer in “preparing for the worst.” While some retailers believe that their security is as solid as “Fort Knox,” the chances are that “somebody is sitting in a dark room targeting that company,” she said. Consequently, the prudent strategy is to have a response plan in place in the event of a breach. “Have a PR firm that specializes in crisis management on your speed dial.”
Speaking with Mark at the FMI workshop, Keith Swiat, director, PA-DSS practice, global compliance services, Trustwave, Chicago, reminded retailers that they have a new security compliance deadline to worry about — July 1, 2010, when all merchants must use PA-DSS (payment application data security standard)-compliant software.
The goal of the PA-DSS is to help software vendors develop payment applications — which handle authorization and transmission of card data — that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data. Only vendor-developed payment applications are subject to the PA-DSS requirements.
“All merchants must use PA-DSS-compliant applications, if they are shrink-wrapped, by that date,” Swiat said. Merchants who don't meet that deadline may lose their ability to process credit cards or be required to install compliant software, he noted.
Meanwhile, the PCI Security Standards Council earlier this month announced the release of new security requirements (version 3.0) for Personal Identification Number (PIN) acceptance terminals. The new PIN Transaction Security (PTS) requirements, which represent the culmination of a three-year lifecycle review process, includes three new modules for terminal vendors and their customers to secure sensitive card data: one pertaining to data encryption, one facilitating integration of different terminal technologies, and one relating to wireless and RFID applications.
Version 3.0 is effective immediately, and version 2.0 will sunset on May 12, 2011. Vendors therefore have a year to build against the new standards and retailers have that period to select from version 2.0 or version 3.0. Retailers are not required to upgrade their existing terminals, but when buying new terminals they would have to select those that meet the latest standards. Retailers should check with their acquiring bank to determine the exact expectations in regard to payment terminals, said Bob Russo, general manager of the PCI Security Standards Council.