Do Your Contracts Meet the Legal Requirements of PCI 3.0?

Highly sophisticated cyberattacks tend to make headlines, but the reality is that most hackers use simple techniques that have been around for years. According to the Verizon 2015 Data Breach Investigations Report, 99.9 percent of cyberattacks exploited vulnerabilities that had been reported more than a year earlier. One in five recorded security breaches were tied to email phishing scams. Clearly, a more concerted, sustained effort to address vulnerabilities and educate employees about cybersecurity best practices is required.

That’s the aim of the latest version of the Payment Card Industry (PCI) Data Security Standard. Dubbed PCI 3.0, the new standard provides more than an updated set of technological requirements and best practices to protect the privacy of cardholder data. A primary goal of PCI 3.0 is to make security and compliance part of day-to-day business operations – a responsibility shared by all employees – and not just an annual review conducted by IT.

Most of the technical requirements of the new standard became mandatory on January 1, 2015. Organizations need to use an industry-accepted methodology for conducting penetration tests and vulnerability assessments to ensure that cardholder data is properly isolated. Merchants must maintain a detailed inventory of all system components used in the cardholder data environment, along with an explanation about the purpose of each piece of hardware and software. Point-of-sale equipment must be routinely inspected, and tighter access controls to these devices implemented.

This laundry list of IT security controls might suggest that PCI is a technology-focused standard. However, PCI has its basis in contract law. There is no PCI statute, although a few states do require compliance with PCI or some of its provisions. In the vast majority of cases, the consequence of noncompliance is a civil lawsuit. Organizations should pay careful attention to their IT-related contracts in order to minimize those legal risks.

PCI 3.0 ups the ante. Certain legal requirements of PCI 3.0, which become mandatory on July 1, 2015, affect the contractual relationships between merchants and the services providers that possess, store, transmit or process payment card data on their behalf. Merchants and service providers must maintain written agreements acknowledging their shared responsibilities in securing payment card data.

PCI 3.0 also mandates that merchants provide documentation that explicitly defines the compliance-related responsibilities of the merchant and those of the service provider. This change is intended to ensure consistency and minimize the finger-pointing that can occur when responsibilities aren’t clearly defined. It is not a contractual requirement, but precise contractual language provides a commonsense approach to complying with this element of the standard.

As a result of these and other requirements of PCI 3.0, merchants, value-added resellers and other service providers should review all existing agreements to ensure compliance. Because assigned responsibility doesn’t necessarily indicate liability, limitations of liability may also need to be changed. This is not something to be handled by the IT department.

Negotiating responsibilities, especially when an agreement is already in place, may prove difficult and even contentious. But the clock is ticking. Agreements between merchants and service providers need to be revised by June 30, 2015. Organizations that are subject to PCI rules would be well served to have their agreements reviewed and revised and negotiations managed by a law firm that specializes in technology law and has a firm grasp on the newest regulatory compliance requirements.