PCI Law: Should retailers pay when they lose card data?

Is PCI-DSS (Payment Card Industry Data Security Standard) a Sufficient Standard of Care to Support Retailer Liability to Banks?

Credit Card Number Security Incident Response

The mechanics and theory of credit cards are so jerry-built that it is legally unfair to make merchants pay damages to anyone when credit card data leaks to criminals. The credit card system was not designed with the idea that merchants would need Fort Knox-style security to protect electronic information. It was only after the system became wildly popular that financial institutions (acting through the PCI) articulated heavy data security burdens for merchants.

It remains an open question whether the johnny-come-lately PCI rules are effective at protecting the credit card system. Even after a merchant spends lots of money becoming "PCI compliant," hackers can still break into the merchant and steal the little units of data (name, account number, expiration date, security code) upon which the system so heavily relies. That's not because the merchant is negligent or guilty of privacy crime. It is because commercial information systems are inherently vulnerable to modern hackers in search of discrete units of data like names and numbers that are used over and over and over again.

The credit card industry needs to invent new ways to authenticate people and transactions, and to place less emphasis on maintaining the confidentiality of data elements like name plus account number plus security code.

I have published more analysis on the topic of merchant liability for a credit card data breach.

--Benjamin Wright

Mr. Wright teach the Law of Data Security and Investigations at the SANS Institute

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

2 comments:

AnonymousMarch 31, 2008 at 8:31 AM
I was far more impressed with your site before I tripped over this video. Talk of conspiracy, and the overwrought delivery were over-the-top and off-putting.
Benjamin WrightApril 1, 2008 at 7:21 AM
The foregoing comment refers to a tongue-in-cheek video that I have removed. I appreciate the feedback. --Ben

InfoSec & Forensics Law