383 Diablo Rd. Suite 217 - Danville, CA 94526
(925) 314 - 9700 (866) 302 - 5415

Eye on Data Breaches: A ‘Scary’ Legal Standard; Details Released on the Coming PCI Update

As federal regulators increasingly zero in on data breaches, lawyers at a payments conference on Wednesday warned that organizations that suffer breaches are likely to have a tougher time avoiding legal liability in the years ahead. And the PCI Security Standards Council disclosed some of the major changes in its upcoming version 3.2 of the Payment Card Industry data-security standard, including a requirement for multi-factor authentication by anyone with administrative access to cardholder data.

Until recently, regulators and the class-action bar have had a tougher time establishing liability in cases where they cannot show that consumers suffered any losses from breaches of card data, speakers said during a session at Transact16, an event in Las Vegas sponsored by the Electronic Transactions Association, the merchant-acquiring industry trade group. But that standard is changing, the speakers said.

Breached entities “have been able to deflect [regulators] if they can show no consumer harm,” said Leonard Gordon, a partner at Venable LLC, a New York City-based law firm. “That worked until last year, when a court ruled that fear of harm alone was sufficient injury for a case to go forward.”

Gordon warned the audience to “keep an eye” on this development. “It’s a scary case going forward,” he said.

In payment card data breaches, consumers are often reimbursed under the terms of their card agreements in cases of fraudulent use of their cards. In a well-known breach, that of the Wyndham Worldwide Corp. hotel chain, the Federal Trade Commission sued the chain but “couldn’t find any consumer who was out of pocket,” leading to a settlement that was “mild” in its terms toward Wyndham, Gordon said. That sort of outcome now might be more difficult to achieve for breached entities when consumers suffer no loss, Gordon warned.

The FTC sued Wyndham in 2013 after the chain sustained three breaches that the regulator said involved more than half a million card accounts and $10.6 million in fraud losses.

At the same time, the smallest merchants are still struggling to comply with the PCI data-security standard years after PCI was introduced and as a new version is under development. Gregory Holmes, another expert who spoke during the session, cited an estimate that just 40% of so-called Level 4 merchants are “truly compliant with PCI.” Holmes is a San Francisco-based director at PwC, a consulting firm that acts as a qualified security assessor for PCI compliance.

Level 4 merchants are those that process fewer than 1 million card transactions annually.

Meanwhile, the Wakefield, Mass.-based PCI Council, which administers the main PCI rule set and its related standards, plans to release version 3.2 of the PCI DSS later this month. The Council this week posted on its blog some of the key changes that card-accepting merchants, processors and other entities that handle general-purpose credit and debit cards can expect.

One change will be a requirement for multi-factor authentication for anyone with administrative access to computer systems containing card data. Multi-factor (sometimes called two-factor) authentication means at least two sets of credentials are required to access the data, for example, a password, a token or smart card, or a biometric.

The existing standard required two-factor authentication when access to cardholder data is coming from a so-called “untrusted” remote environment.

“The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network,” PCI Council chief technology officer Troy Leach said in the post. He later added: “This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment.”

The update also will include several new requirements for service providers, the individuals or companies that help merchants set up and maintain card-accepting systems. Third parties often do poor work regarding data security and have been the sources of numerous data breaches.

A summary of the coming changes can be accessed here.

A partial list of clients served