If you carry, accept, use, issue or have anything to do with the world of credit cards, debit cards, gift cards, smart cards, stored value cards, pre-paid cards—need I go on?—you need to pay attention to DSS. That is the Payment Card Industry’s Data Security Standards that apply to all types of payment cards issued by the major card-issuing companies. The PCI DSS, in case you hadn’t heard, requires, as an example, that personally identifiable card data be rendered unreadable (truncated, encrypted, firewalled, decapitated—is anyone reading) whenever it is potentially exposed to a third party, when it’s stored, transmitted, used or processed. If you are a merchant with significant card-transaction volumes. encryption can be expensive or time-consuming or both—and no one wants to slow down transactions at the point of sale or at the point of billing. The DSS also requires audit records be kept so breaches can be detected, compromises traced and data integrity monitored. Yes, there are DSS Audit Guidelines from the PCI as well. Not to mention the fact that more than 30 U.S. states already have some form of data breach legislation that requires disclosure, notice and, in some cases, that some remedies be made available to consumers who are or potentially might be the victims of lapses in data protection.
Acquiring institutions—those financial institutions and card processors that have the relationships with merchants that accept and process cards—have until year-end to bring their systems and relationships into compliance, and some card associations are offering rewards for early compliance, but stiff penalties for delays and failure to comply.
How complex does it get? Well, imagine that a merchant opts to mask all credit card numbers, even though address information is unencrypted—but the numbers aren’t visible within any systems and therefore can’t be cross-referenced. PCI compliant? Probably? BUT, that won’t comply with Gramm-Leach-Bliley, the privacy statute applicable to banks and financial institutions that requires otherwise. What about SEC regulations regarding customer data and, of course, Sarbanes-Oxley, which says, “You must control access to your information.”
It’s enough to give anyone a headache. That’s why Rimon has a Financial Services, Corporate & Securities, Intellectual Property and, of course, an Advertising Technology & Media Law practice—so you get one seamless solution to your problems, no matter how complex the world gets.