Page 38 - GS170902
P. 38

Education




                                                                It might also help to have the merchant or ISO's own PCI
                                                                assessor look at those representations to see if they satisfy
                                                                the needs of the merchant or the ISO.

                                                                The point here is that some IT services agreements
                          Legal ease:                           are simply inadequate as to the PCI needs of ISOs and
                                                                merchants, and they should be tested for that requirement
                                                                before signing.

                                                                Backup, disaster recovery, necessary policies

                                                                Disaster recovery, backup, source code escrow, service
                                                                level commitments and access to information are but a
                                                                few themes to address in common-sense policies that ISOs
                                                                should expect from IT suppliers.
        ISO technology                                          This does not mean that the ISO needs to read all of the

                                                                policies. Under the agreement between the ISO and its IT
        contracting                                             provider, it makes sense to have the IT provider represent
                                                                that it has these policies in place and that it meets whatever

        By Adam Atlas                                           standard the ISO requires of them.
        Attorney at Law                                         Representations as to security
                                                                The PCI DSS is convenient, because it allows the parties
                  s with most businesses today, technology is a   to point to an objective set of standards that are not only
                  cornerstone for contemporary ISOs. This article   identifiable but also subject to certification from a small
                  considers some legal issues that are specifically   army of PCI certification services. Outside of the PCI
        A relevant to technology contracts for ISOs.            standard, IT suppliers are expected to implement measures
        PCI compliance                                          to ensure that their data is not compromised or corrupted.
                                                                ISOs should consider representations by IT suppliers as
        Payment Card Industry (PCI) Data Security Standard      to the security measures they take to ensure that the ISOs
        (DSS) compliance means different things to different    can expect performance that is commensurate with their
        people. To a small merchant, it might mean an annual self-  needs.
        assessment questionnaire coupled with a compliance or
        non-compliance fee.                                     When there is a security breach involving consumer
                                                                data, a whole suite of federal and state laws can apply to
        An ISO that has a technical understanding of PCI        the parties. When parties are at the contract-negotiation
        compliance is at an advantage, because it can source and   phase, it is helpful to consider how they will each allocate
        supply merchant-appropriate solutions. For example,     their respective responsibilities in the event of a security
        a merchant who needs to collect and store cardholder    breach. It's also worth asking the IT company to inform
        data, but does not have PCI-compliant systems, will need   the ISO of a breach in its systems that has nothing to do
        to procure access to such systems. The ISO is perfectly   with the ISO – but that could nonetheless be informative
        situated to be the intermediary between the merchant and   as to the solidity of the IT provider.
        possible suppliers.
                                                                Indemnification in IT agreements
        Once an ISO fully understands the cardholder data       In a perfect world, ISOs would obtain indemnification for
        processing needs, and the corresponding PCI implications,   all breaches or other wrongdoing by their IT suppliers. In
        it is in a position to select and procure the right solution.   the real world, IT suppliers will try to limit their obligation
        That said, not all suppliers are aware of the specific level   to indemnify to a few big-ticket items including:
        of their own PCI compliance, and some do not even know
        why they need to be compliant. The ISO can therefore     •  Breach of intellectual property rights
        fulfill an educational function not only for the merchant –   An IT supplier should be able to promise that it is us-
        but also for suppliers – to make the best fit between them.  ing only its own intellectual property (i.e. software
                                                                    and systems) or intellectual property rights that it has
        When a draft IT services agreement is finally put together   licensed for use in conjunction with serving the ISO.
        in support of a PCI-regulated project, the ISO should       When an IT supplier uses content in which it does not
        review it to see what kinds of representations are made     own the necessary intellectual property rights, the
        as to the PCI compliance of the provider and its services.   ISO business can become collateral damage in a claim



        38
   33   34   35   36   37   38   39   40   41   42   43