The Green Sheet Online Edition
January 12, 2009 • Issue 09:01:01
PCI, an aspect of PII
The Payment Card Industry (PCI) Data Security Standard (DSS) falls under the broader topic of personally identifiable information (PII). The theft of PII is commonly known as identity theft.
Identity theft issues are broad and far reaching; they are consuming greater corporate resources, both nationally and internationally. The consequences of handling PII in a manner inconsistent with prevailing laws can be severe, regardless of whether the noncompliance was due to accident, incompetence, compromised internal staff or lack of knowledge regarding applicable regulations.
Fraud resulting from identity theft is now a $50 billion-per-year crime, and growing. According to the Federal Trade Commission, it is the most common complaint the agency receives from consumers.
In 2006, the Identity Theft Data Clearinghouse, a national database established to assist law enforcement investigations, received 674,354 complaints forwarded by the FTC, the Internet Crime and Complaint Center and other organizations; 246,035 of those (36 percent) pertained to identity theft.
Each year the number of agencies involved and laws enacted regarding PII at federal and state levels increases. Also, many laws in effect in international venues parallel or exceed rules in place in the United States. Rules and regulations governing PCI are implemented country by country.
PII can bite your customers
PII covers a growing list of data elements that can be tied to or represent a given individual. Illegal or negligent use of these elements can cause individuals to be harmed. PII includes:
- Social Security numbers
- Date of birth
- State identification numbers
- Credit card numbers
- Debit card numbers
- Driver's license numbers
- Bank routing and transit numbers
- Account numbers
- Any other assigned number that can be used to cause an individual harm
PII is often used to open bank accounts as well as merchant accounts. In most instances, a combination of data elements is required for a compromise to occur.
Many of the items listed under the umbrella of PII are regulated both by civil and criminal laws; they carry penalties on federal and state levels. As of this writing, 48 states regulate the use, storage, transmission and disposal of various elements of PII - including credit card information. The federal government has adopted, or is considering, a number of rules and regulations regarding actions associated with PII. The most specific edict to date is the 2008 FTC consent decree released in the Life Is Good Inc. case.
The FTC charged that LIG "failed to provide reasonable and appropriate security for the sensitive consumer information stored on its network," even though the company stated on its Web site that such information "is kept in a secure file."
The consent decree is broad. In nine specific orders, it covers all aspects of LIG's data protection policies, procedures and ethics. One order requires the company to obtain an independent, third-party auditor to review and assess its security measures every other year for the next 20 years.
Already, at least 13 federal laws and regulations either directly or tangentially affect PII. Some examples are the:
And during the 110th U.S. Congress, Senate committees favorably reported out three data security bills that include information security and data breach notification requirements. Other data security bills were also introduced in the House of Representatives and the Senate.
It's bigger than PCI
The PCI DSS, the Payment Application DSS and the PCI PIN Entry Device Standard are designed to protect primary account numbers and their related sensitive data - in other words, credit and debit card numbers - from illegal or unauthorized use.
These industry best-practice-driven recommendations and mandates are closely tied to the current, pending and proposed directives of various federal and state entities. In fact, many distinct principals of these rules and regulations can be traced back to historical legislation in this field.
As in all situations, state and federal laws and regulations trump regulations and mandates of the PCI Security Standards Council. And in the absence of a comprehensive federal data breach notification law, many states have enacted laws mandating consumer notification regarding security breaches of personal data.
As of January 2008, 39 states had enacted data security laws requiring entities to notify persons affected by security breaches and, in some cases, to implement information security programs to protect the security, confidentiality and integrity of data. One example is the California Financial Privacy Information Act, which dictates that, in the event of a breach, the impacted company must publicly disclose said breach.
Additionally, six states (California, Connecticut, Illinois, Massachusetts, Minnesota, and Texas) have introduced bills designed to strengthen merchant security and hold companies liable for third-party companies' costs arising from data breaches.
As a result, public disclosures have heightened interest in the following:
- Security of sensitive personal information
- Security of computer systems
- Applicability of existing federal laws to the protection of sensitive personal information
- The business and regulation of data brokers
- Liability of retailers, credit card issuers, payment processors, banks and furnishers of credit reports for costs arising from data breaches
- Criminal liability of persons responsible for unauthorized access to computer systems
- Remedies available to individuals whose personal information was accessed without authorization
- Adequacy of tools available to law enforcement officials and federal regulators
- Prosecution of identity theft crimes related to data breaches
What does it all mean for you, as ISOs and merchant level salespeople? Failure to ensure your merchants are PCI compliant will open you up to greater and greater liability from multiple sources, both civil and criminal.
Ross Federgreen is founder of CSRSI, The Payment Advisors, a leading electronic payment consultancy specifically focused on the merchant. He can be reached at 866-462-7774, ext. 1, or firstname.lastname@example.org.
Ken Musante is President of Humboldt Merchant Services. Contact him by e-mail at email@example.com or by phone at 707-269-3200.
Theodore Svoronos, Payments Consultant for Irvine, Calif.-based Group ISO, can be reached by phone at 800-960-0135 or by e-mail at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.