Bryan Cave Combines with Berwin Leighton Paisner to Form Bryan Cave Leighton Paisner LLP Learn More

For most retailers their primary source of revenue comes from credit card transactions.  In order to accept credit cards, a retailer must enter into a contractual agreement with a payment processor and a merchant bank.  As discussed in previous articles, those agreements typically required that the retailer represent and warrant its compliance with the Payment Card Industry Data Security Standard (“PCI DSS”).  Alternatively, they require a representation and warranty that the retailer complies with the rules of the payment card brands (i.e., American Express, Discover, MasterCard, and Visa), and some of the payment brand rules could be interpreted as requiring that a retailer be compliant with the PCI DSS.

The PCI DSS is a standard that originally was established by the payment brands, and later transferred to the Payment Card Industry Security Standards Council (“PCI SSC”) for management and further development.  The standard sets forth what the payment brands contend is a baseline of technical and operational requirements designed to protect cardholder data.  Put differently, many consider the PCI DSS as the minimum requirements that a company must meet in order to accept and process credit cards.

The current version of the PCI DSS was published in April of 2016 and represents the sixth incarnation of the standard.

240+

Number of security controls required under the current version of the PCI DSS.1

12 Months

The frequency with which large retailers must audit and certify their compliance with the PCI DSS.2

 

Factors retailers should consider when evaluating their compliance with the 12 requirements of PCI DSS:

  1. Are there any concerns about the scope of your organization’s latest “Report on Compliance” or “Attestation of Compliance?”
  2. Are there any deficiencies identified in your organization’s latest “Report on Compliance” or “Attestation of Compliance and are you remediating those issues?
  3. If PCI non-compliance was identified, did it trigger contractual notification or remediation requirements?
  4. If you retained a third party to evaluate your PCI compliance, are you confident in the proficiency of that company and its analysis?
  5. Are your vendors contractually required to meet PCI standards?
  6. Do your device vendors and manufacturers meet requirements, such as PIN Transaction Security (PTS) standards?
  7. Is your Payment Application PA-DSS validated?
  8. Are you using a Point to Point Encryption (“P2PE”) solution?
  9. If so, does your Point-to-Point Encryption solution meet the PCI P2PE standard?
  10. Have the vendors that access, transmit or store your credit or debit card data provided you with appropriate indemnification in the event of a breach caused by their equipment? 

1. Payment Card Industry, Data Security Standard v 3.2, https://www.pcisecuritystandards.org/security_standards/documents.php (“PCI DSS 3.2”).

2. See, e.g., American Express Merchant Operating Guide (Oct. 2016).