Page 36 - GS181202
P. 36
Education
facilities for cardholder numbers, so they use a third-
party provider (such as TrustCommerce). In other cases,
merchants are ignorant of the legal and commonsense
security requirements, and they store cardholder data on
their own unsecured computer systems.
Legal ease:
It is a best practice for ISOs to go through this analysis
with each merchant to learn precisely where cardholder
state is stored and precisely who has promised to store
or transmit that data for the merchant. When a breach
occurs, both the ISO and the merchant will want to know
where and why data was rendered vulnerable to prevent
future breaches, as well as allocate liability for the ensuing
Data breach losses.
Document data storage liability
allocation of liability The processing agreement between the merchant and the
acquiring bank will leave all responsibility for security
By Adam Atlas of cardholder data in the hands of the merchant. The ISO
should help the merchant take that understanding one
Attorney at Law step further to see who really stores the data and what
promises have been made about that storage.
ata breaches are a part of contemporary busi-
ness. Despite substantial efforts by both indus- For example, if a merchant has engaged a gateway to
try and governments to limit the chances of store its cardholder data, the merchant should look to that
D a data breach and the negative repercussions gateway for promises about the degree of security that
associated with them, they continue to occur and cause will be used in storing the data.
significant harm.
The PCI Security Standards Council is an industry
As ISOs evolve from simple sales organizations to active standards-setting organization that has established
participants in the flow of data related to merchant specific security standards related to the storage of
payment transactions, they are earning correspondingly cardholder data. The Payment Card Industry (PCI)
greater liability for breaches that occur along the way. The security standards came into existence partly because of a
purpose of this article is to highlight key considerations fear that if the industry did not regulate itself, government
for ISOs, from a legal perspective, arising from a merchant would intervene and impose standards on the industry.
data breach.
Know who stores cardholder data By contract, virtually every participant in the payments
industry promises to comply with PCI standards. The
If there is no data being stored, the chances of a breach standards dictate levels of compliance that are a function
are much lower. For several reasons, it is essential for of the quantity and type of cardholder data being stored.
ISOs to know precisely where merchant data is stored. The more you store, the more secure you have to be.
Specifically, ISOs should know where cardholder data is
stored, given that cardholder data is the most sensitive Back to the documents: the agreement between a gateway
data in the payment operations of merchants. Note that storing cardholder data and a merchant should contain
merchants are often ignorant of where their data is stored. promises by the gateway as to its level of PCI compliance.
It is helpful for an ISO to know precisely who has made
The process of finding out where data is stored starts what promises with respect to cardholder data storage.
at the POS. When cardholders (online or in person)
enter their payment card information, that information Before leaving the subject of promises made, it is impor-
goes somewhere. Usually, it is picked up by a secure tant to touch on limitations of liability. When a security
element within the POS device or hosting platform and is breach occurs, the merchant who collected the compro-
transmitted by a secure gateway (for example, Authorize. mised cardholder data could be liable for substantial fines
net) to the merchant’s processor (for example, First Data) – even if the merchant did not store the data itself. The
for presentment to payment networks (for example, Visa). reason for this is that the merchant had the duty, under the
merchant agreement, to select a vendor (that is, gateway)
Sometimes merchants wish to retain a copy of cardholder that had secure data collection and transmission capabili-
data, but they rarely have their own secure storage ties. Where the gateway fails, the processor may look to
36
