Payment Card Information Data Breaches: What Business Owners Probably Do Not, But Should, Know.
If your business accepts credit or debit cards, i.e., payment cards, as a form of payment, take note whether caused by the innocent mistake of an employee or the intentional theft by a hacker, the odds are that you will experience a data breach that compromises the security of payment card information in your business’s possession stored electronically as “cardholder data.” And, further, the odds are that your business will be required to notify not only its payment card merchant services provider, but also the Office of the Attorney General and affected customers. The consequences of such breaches range from damage to your company’s reputation to costly penalties and fines. Further, such breaches expose your company to liability should a cardholder or group of cardholders file a lawsuit against your business. In the aftermath of the Target and Neiman Marcus breaches and with Windows XP (the operating system of choice for many point of sale systems) no longer supported by Microsoft, the following is an overview of a few key things your company needs to know about data security and reporting requirements.
Payment Card Industry Data Security Standard & Merchant Services Agreement Requirements
The Payment Card Industry (PCI) Security Standards Council (SSC) was formed by major card brands, including American Express, Discover, MasterCard, and Visa. The purpose of its formation was to establish comprehensive standards to enhance the security of payment card data and to implement consistent data security measures for all entities involved in payment card processing. To that end, the PCI SSC created the PCI Data Security Standard (DSS), which provides a minimum set of technical and operational requirements aimed at protecting payment card information.
Generally, to be PCI DSS compliant, any business that processes payment cards must do the following: (1) build and maintain a secure network and systems with a firewall and other security parameters; (2) protect stored cardholder data and encrypt cardholder data that is transmitted across public networks; (3) maintain a vulnerability management program that protects against malware, includes regular anti-virus updating, and secures systems and applications; (4) implement strong access control measures that restrict access to cardholder data and identify and authenticate system access; (5) regularly monitor networks by tracking and monitoring access to cardholder data and test those networks’ security systems and processes; and (6) maintain an information security policy that addresses information security for all personnel.
Your business likely has a merchant services agreement with a bank, or a servicer affiliated with a bank, under which it receives card payment authorization, processing, and settlement services. You may not even know that, upon entering into a merchant services agreement, your business represents and warrants that it is, and will continue to be, PCI DSS compliant, and it most likely requires your company to provide immediate notice to your bank or bank-affiliated servicer of any compromise of cardholder data. Further, you may not even know that failure to do so can result in not only non-compliance fees being added to your billing statements and an increase in your transaction charges, but, in the case of an actual compromise of cardholder data, it also can result in your business being required to repay hefty fines that the payment brands, such as Visa and MasterCard, levy upon your bank or bank-affiliated servicer. Such fines for violations can reach $500,000.00 for a breach that occurred to a system that was not PCI DSS compliant.
Virginia Breach of Personal Information Notification Law
In Virginia, under Code of Virginia 18.2-186.6, “personal information” is defined, in part, to include the first name or first initial and last name of a person together with an unencrypted or unredacted credit card or debit card number. A “breach of the security of the system” is defined as the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information and that causes identity theft or other fraud to a resident of Virginia, or triggers your company to reasonably believe identity theft or other fraud to a resident of Virginia has been caused or will be caused. Upon experiencing such a breach, your company is required to notify, without unreasonable delay, the Office of the Attorney General and all effected residents of Virginia. In response, the Office of the Attorney General may bring an action to address any violations of the notification law and may impose a civil penalty of up to $150,000.00 per breach or series of similar and related breaches. Further, the law expressly states that nothing contained within it limits individuals from recovering direct economic damages for a violation of the law.
The bottom line is that your company, to the extent that it accepts payment by credit or debit card, must become PCI DSS compliant and maintain such compliance. PCI DSS compliance will safeguard your company from fines assessed by the major card brands, and it will assist in avoiding the costly and embarrassing notification process that Virginia law requires in the event of a breach of cardholder data. To remain noncompliant unreasonably places your company in fiscal peril and risks loss of your customers’ valuable cardholder data.
And to the extent that you ever have the unfortunate perception that a breach of cardholder data in your company’s possession has occurred, call a lawyer trained in data-breach response first to coach you through the breach response, mitigation, and notification process. Skilled legal counsel will guide you through the myriad of legal issues and business considerations, and also will retain appropriately credentialed security specialists, such as our friends at Sera-Brynn whom we engage as PCI Qualified Security Assessors, to identify the source of the breach, contain it, and secure your system. – Marc E. Darnell
The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2023.