Unlike many compliance requirements, the PCI Data Security Standard is not a law or regulation that can be enforced by the government or in the courts. As attorney David Navetta points out in an SC Magazine piece, PCI DSS is enforced via a "contract chain." Elements of the chain can include such things as indemnification requirements, fine and penalty provisions, and agreements about payment card operating rules.
The contractual nature of the PCI enforcement mechanism presents several interesting legal issues, Navatta says.
In light of these risks, merchants should be careful when selecting their service providers. Purchasing insurance against a service provider failure is also a good idea, according to Navatta. He also advises merchants to get into the habit of interpreting the PCI requirements narrowly, and to build a good relationship with the legal department.