New Data Security Requirements For Credit Card Service Providers

By Rbio_rogerhoodoger Hood | As a result of the highly publicized credit card breaches involving Target, Home Depot and Sony (and more), the policies governing these transactions have changed to require reciprocal agreements between merchants and service providers to protect the security of cardholder data.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies created in 2004 by four major credit-card companies to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.  The policies apply to any entity involved in credit card processing, including merchants, processors and service providers that store, process or transmit cardholder data.  Starting this month, there is a new set of policies: Version 3.0.

Currently, both Visa and MasterCard require merchants and service providers to validate compliance with the PCI DSS.  For larger entities, merchants and service providers must utilize third parties to audit their compliance programs on a regular basis.  Smaller merchants and service providers are not required to explicitly validate compliance with each of the controls prescribed by PCI DSS, but these organizations must still implement all controls in order to maintain “safe harbor” status and avoid potential liability in the event of fraud associated with theft of cardholder data.  This is accomplished by completing a “Self-Assessment Questionnaire.”

PCI DSS Version 3.0 not only updates and clarifies existing requirements, but includes several new requirements.  Among the changes, there is a critical new requirement (Requirement 12.9), that states:

service providers must now acknowledge, in writing, to their merchants/customers “that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent they could impact the security of the customer’s cardholder data environment.”

This is a big change.  While the merchants/customers have always been required to have written agreements with their service providers that address the merchant/customer’s responsible for the security of cardholder data, service providers have not had a reciprocal requirement.  As a result, some service providers have resisted acknowledging their responsibilities for securing cardholder data and, yet, remained in compliance with the PCI DSS requirements.  We have argued this concern more than once on behalf of our clients.  The new requirement mirrors the existing requirements for merchants/customers and makes the obligation of a written acknowledgement directly applicable to service providers.

Credit card service providers will now need to review contracts with their merchants/customers to determine whether the contract satisfies the new requirements.  Otherwise, service providers will be out of compliance with the new standards, which can create significant financial penalties.

If you are a merchant/customer, it would be worthwhile to review the contracts with your credit card service providers to verify that they assume responsibility for the security of cardholder data.  If not, the new requirements provide great leverage to renegotiate your contracts to obtain this written acknowledgement.  To learn more, contact Roger Hood.