Page 46 - GS170701
P. 46
Education
Larger ISOs that take part in processing data related to
their merchant transactions should be familiar security
requirements, especially those pertaining to cardholder
data. Even smaller ISOs, however, deal in many forms of
Legal ease: nonpublic personal information, such as Social Security
numbers, tax returns and bank account statements.
PCI DSS requirements for ISOs
The Payment Card Industry (PCI) Data Security Standard
(DSS) is an industry-made, security standard devised to
self-regulate the handling of cardholder data and other
sensitive data. ISOs spend (and earn) money managing
Cyber-security for their merchants' PCI-compliance requirements. They
should also consider whether their own businesses have
ISOs: The crossroads unaddressed PCI issues and whether their vendors and
vendors' merchants served must comply with one or more
PCI DSS guidelines.
of law and security In layman's terms, PCI standards apply as a function
provider holds. For example, an ISO that takes note of one
By Adam Atlas of the quantity and quality of cardholder data that a
Attorney at Law cardholder number as part of a customer support ticket
will not be held to the same standard as one who stores 1
yber-security concerns us all. If all participants million tokenized credit cards for a portfolio of merchants
in the payments ecosystem err on the side of with recurring transactions.
safety, the payments system, and the nation
C as a whole, will be better for it. From a legal Most ISOs know enough to stay clear of storing cardholder
perspective, security is taking center stage because parties data. However, those ISOs should query their suppliers
are becoming serious about designating responsibility for to see if the suppliers meet the necessary standard for
breaches and other cyber-security issues. Given the grav- handling data. With a flurry of new cloud-based platforms
ity of data security and the high cost to those found liable serving merchants, it is not always true that the platform
for breaches, I'll share some insights and identify legal meets all applicable PCI requirements. ISOs should
issues related to cyber-security. grill new suppliers for their merchants to make sure
the merchants will not be let down by inadequate PCI
Two-factor authentication compliance on the part of one of their suppliers.
If you have not added two-factor authentication to your Allocation of liability for breaches
email and other key accounts, stop reading this article, and
do it now. Two-factor authenticators require the person Here is where things get interesting. There is a lot of
logging in to use the primary password and a second, "passing the hot potato" going on in payments today, with
usually changing, password generated by a phone app or one supplier pointing to another and that one pointing to
a key fob, such as a Yubico. Doing this can substantially a third on the subject of liability for breaches. ISOs need
increase the security of your accounts ‒ at almost no cost. to understand precisely where they are positioned in the
chain of responsibility for security breaches. If a breach
Why is a lawyer recommending two-factor authentication? occurs on an ISO's system, we naturally expect the ISO
For starters, I have seen clients successfully avoid threats to take liability for the breach. However, if the breach
to their confidential information by utilizing two-factor occurs on a merchant's system or at a third-party supplier
authentication. to the merchant, the allocation of liability becomes more
complicated.
More formally, by way of example, regulated financial
institutions, like money transmitters and virtual currency
exchanges, are legally required to mandate two-factor If a breach occurs on an ISO's system, we
authentication. This is due to new regulations adopted naturally expect the ISO to take liability for
by the New York Department of Financial Services (see 23 the breach. However, if the breach occurs
NYCRR § 500). To be clear, those regulations would not
likely apply to a typical ISO; however, it is helpful to learn on a merchant's system or at a third-party
about security practices and requirements from larger supplier to the merchant, the allocation of
industry-leading entities and their regulators. liability becomes more complicated.
46
