The Risky Business of PCI Compliance

Lora Bentley

Unlike many compliance requirements, the PCI Data Security Standard is not a law or regulation that can be enforced by the government or in the courts. As attorney David Navetta points out in an SC Magazine piece, PCI DSS is enforced via a "contract chain." Elements of the chain can include such things as indemnification requirements, fine and penalty provisions, and agreements about payment card operating rules.

The contractual nature of the PCI enforcement mechanism presents several interesting legal issues, Navatta says.

  • Merchants who provide payment card services are under no direct contractual duty to the payment card companies. Merchant banks or other organizations that process the payments act as "middle men."
  • Service providers for the merchants are under no direct duty to comply with PCI requirements. For merchants to ensure that they remain PCI compliant, they must impose contractual obligations on their service providers so that the service providers will maintain compliance.
  • As Navatta puts it, "Matching upstream and downstream obligations and risks." In other words, if the service provider messed up and caused the merchant to have to pay a fine to the merchant bank, the service provider should be contractually obligated to reimburse the merchant for the amount of the fine.

In light of these risks, merchants should be careful when selecting their service providers. Purchasing insurance against a service provider failure is also a good idea, according to Navatta. He also advises merchants to get into the habit of interpreting the PCI requirements narrowly, and to build a good relationship with the legal department.

Add Comment      Leave a comment on this blog post
May 8, 2008 1:11 AM steve clarke steve clarke  says:
is this just us or both us/ uk related? Reply
May 9, 2008 5:18 AM Ricardo Nave Ricardo Nave  says:
Well, it's pretty obvious PCI DSS needs a revision in that requirement. As I see it, it wouldn't pose a risk if service/product providers don't really interact with system components and, therefore, would never handle cardholder data. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.