Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
While starting off as “just” an information security standard, the Payment Card Industry Data Security Standard, v. 1.1 (“PCI” or “PCI Standard”) now presents serious legal challenges and risk for retailers. The PCI framework currently operates like a law without courts or regulators. Moreover, in many cases PCI compliance is performed by security professionals with no attorney collaboration and little understanding of the legal risks involved. Unlike security laws, the PCI Standard and Security Program rules are not statutes or regulations enforced directly by the government. Rather, the PCI rules are imposed and typically enforced contractually through the “PCI Contract Chain.” The contracts in the contract chain can include indemnification requirements, duties to pay fines and penalties, duties to adhere to payment card opera ting rules and other duties related to the use of payment cards. The contractual foundation of PCI presents several legal issues:No direct contractual relationship between merchants and payment card companies. The significance of the chain is that there is typically no direct contractual relationship between payment card companies and merchants. Therefore, generally speaking, merchants cannot be directly required to legally adhere to Security Programs or the PCI Standard by payment card companies. Rather, if any contractual obligations do exist they are passed through the contract that exists immediately upstream from the merchant (e.g., the contract between the merchant and merchant bank or payment processor). Nonetheless, in practical terms, payment card companies may be able force compliance by leveraging their relationships with merchants and access to payment card processing. No direct duty for service providers to comply with PCI or security programs. There is typically no inherent duty for a merchant's service providers to comply with the PCI Standard. Any duty for a service provider to comply with the PCI Standard will flow contractually from the merchant to the service provider (typically not from the payment card companies to the service provider). Therefore, unless merchants impose contractual obligations on their service providers, they may find themselves without leverage to force those service providers to become PCI compliant. A merchant's compliance with PCI is directly contingent on contractual obligations imposed on its service providers. The PCI Standard requires merchants to do the following:If cardholder data is shared with service providers, then contractually the following is required:Service providers must adhere to the PCI DSS requirementsAgreement that includes an acknowledgment that the service provider is responsible for the security of cardholder data the provider possesses.
Login above or Register now and get unlimited access.
Already subscribed but have forgotten your login? Recover your password your here.