Credit Card Data Storage on Trial
The laws and regulations governing the storage of credit card numbers vary around the world but generally fall in line with the way card issuers believe the data should be managed. Universal among the major credit card issuers for at least the past 15 years has been the PCI standard, which originated in 2004. While the details have changed over the years, the basic principles remain the same: organizations may not store CVV information, and when cardholder account information must be retained, it must be stored in a secure environment and encoded so that it is not easily accessed by unauthorized persons. Last year, PCI posted version 3.2 of the Data Security Standard (DSS) (previously known as DSS 3.1). PCI 3.2 requires full compliance by January 31, 2018. There are many areas of PCI compliance for which the affected entity must be responsible, and there are many qualified security assessors (QSAs) who are ready to assist. PCI compliance can be both time consuming and costly, but given the reasons for its creation, that cost is a necessary and reasonable expense for most merchants.
In addition to the PCI DSS obligations, the 50 states, the District of Columbia, Puerto Rico and several foreign countries have enacted , or are currently considering laws aimed at protecting cardholder data. In the United States, these laws typically require that any holder of sensitive cardholder information, including credit card numbers, notify those affected if there is a breach. In most states, a breach occurs if someone "accesses" the data, even if that information is not actually misused in any way. Some states have laws that define the term "breach" more narrowly, but the majority do not. Overseas, the rules vary widely, from non-specific breach disclosure rules to requirements that affected individuals be notified in writing beforehand and given the opportunity to opt out.
Foreign countries and regions have different sets of rules that apply to the processing of credit card numbers. For example, in Europe, the payment services directive (PSD) 2 was adopted in November 2009, and sets forth rules applicable to payments related to the supply of goods and services through payment accounts offered by payment service providers. PSD 2 is based on the "single euro payments area" (SEPA) regulations. Even within Europe, the rules vary widely by country, and may depend on whether or not they are part of the European Union (EU).
PCI DSS Framework
The Payment Card Industry, founded in 2006, comprises the major credit card companies which have jointly developed standards on how those under contract to accept credit cards should handle cardholder information. Their data security standards, known as PCI DSS (Payment Card Industry Data Security Standard), detail the requirements for handling, processing and storing credit card information and sets out a minimum level of security which those who contain or process card holder information must meet in order to protect card holder data.
PCI DSS applies to all entities which store, transmit or process cardholder data. It is the responsibility of individual businesses to determine the applicability of PCI DSS to them, having regard to the level of transaction volume and whether it is considered a ‘merchant level’ 1, 2, 3, 4 or payment gateway level 1 or 2. The requirements of the standards really extend far beyond the storage of transactional data, however, and instead apply to any handling of cardholder data in any manner.
The requirements cover the following steps:
"Level 1" merchants are those which store, process or transmit over 6 million transactions per year and must undergo an annual report on compliance which must be signed off by a Qualified Security Assessor or the company’s chief executive officer or chief financial officer. Level 2 merchants process 1 million to 6 million transactions annually. Level 3 merchants process 20,000 to 1 million e-commerce transactions per year. Level 4 merchants process fewer than 20,000 e-commerce transactions per year. Payment gateway level 1 companies handle over 300,000,000 transactions annually, while payment gateway level 2 companies handle 300,000 to 30,000,000.
The penalties for non-compliance can be high, including liability for cardholder fraudulent charges, decreasing credibility with partner credit card issuing banks and forfeiture of the right to process credit card transactions. The concept of the PCI DSS is, in many respects, similar to the idea of a regulatory scheme and an associated license to carry on a specified business, such as the licensing of financial advisers, or doctors – the onus for ongoing compliance, which includes supervision of IT operations, is squarely with the licensee; the regulatory authority audits and enforces the rules, but is not responsible for day-to-day management of the licensee’s activities.
Relevant US Federal and State Legislation
U.S. federal and state privacy laws such as the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act (CCPA), and the Massachusetts Data Security Regulations have unique provisions or effects related to the storage of credit card data. GLBA, for example, regulates financial institutions and prescribes certain privacy requirements, including the requirement to protect customer information through administrative, technical, and physical safeguards. For entities required to comply with GLBA, customer information may include credit card information. The GLBA does not, however, specifically regulate the storage and protection of credit card information.
California’s CCPA requires businesses to (1) inform customers that personal information may be sold to third parties; (2) refrain from selling their personal information if asked not to; (3) disclose information about personal information collected and/or sold; and (4) respond to requests of California residents to provide them the right to know what personal information has been collected and/or sold; delete their personal information and stop selling that personal information; and not discriminate against them for exercising those specific rights. However, the CCPA does not specifically address the storage of credit card information.
In Massachusetts, the Data Security Regulations require any person, business, or government entity that owns or licenses personal information about a resident of Massachusetts to develop, implement, and maintain a comprehensive written information security program designed to protect the confidentiality, integrity, and totality of that personal information. That includes personal payment card information and other personal information relating to the credit card owner. The CCPA expressly states that it is not intended to conflict with the Data Security Regulations, but potential conflicts exist between the two laws.
At the state level, many states have enacted data breach notification laws that require entities to notify consumers when individuals’ personal information has been subject to unauthorized access and acquisition. Access by an employee or contractor of the entity is often exempt from triggering a notification obligation. Other states also impose statutory data destruction obligations.
EU and the GDPR
The GDPR did not have any explicit provisions concerning the storage of credit cards or payment information, but nonetheless they are of importance. First of all, it is important to note that the EU does not have any laws specifically providing for card holder data storage, as it is the case for example in the USA with the PCI DSS. However, under the GDPR card holder information may be considered to contain personal information requiring the adaptation of the business processes in order to comply with the principles of data protection and privacy.
The GDPR applies in the following cases:
- Section 3 (2): If a business is established in the EU, it is always within the scope of the GDPR, even if no personal information is processed and the data subjects are not EU citizens.
- Section 3 (1): If a business is established outside of the EU, it is within the scope of the GDPR if it processes credit cards or personal information of EU citizens.
- Section 3 (1A): A processor or controller outside of the EU will also be subject to GDPR if:
- Offers goods or services to residents in the EU (this could include credit card transactions)
- Monitors the behavior of residents in the EU
When storing credit cards or payment information, it is important to understand Article 24, which states that "Taking into account the nature, scope, context and purposes of the processing as well as the risks to rights and freedoms of natural persons…the controller shall implement appropriate technical and organisational measures." This paragraph refers to specific measures, which must take into account various factors, such as: the state of the art, the costs of implementation and the nature of the promotion.
Consequences of Non-Compliance
"For many organizations, the potential consequences of non-compliance with the laws and regulations surrounding storing credit card data on file may be significant enough to seriously consider moving to a solution that does not require them to store the data directly.
A few examples of the potential implications of non-compliance include:
The payment card networks and processors have identified various fines and penalties assessed for violating the requirements of the payment card industry (PCI) data security standard as follows: The cost to organizations for non-compliance can be considerable, totaling up to several hundred thousand dollars per quarter. Additionally, a disastrous breach in regulated data could result in reputational damage, loss of customers, loss of ability to accept card payments, etc . , depending on the degree to which the merchant or service provider is implicated.
In addition to the cost associated with PCI DSS compliance, as most organizations are well aware, merchants and service providers are increasingly challenged with the costs of meeting other information security standards. Privacy legislation, especially legislation establishing an individual’s right to control the use of his/her personal information, is becoming more prevalent, as is legislation with data breach notification requirements. As with PCI DSS, non-compliance with privacy legislation or notification requirements can lead to significant fines or other costs for non-compliance."
Credit Card Number Storage – Best Practice
The PCI DSS 3.2, the most current version of the Payment Card Industry Data Security Standard, has requirements specifically designed to ensure that retailers take appropriate precautions to protect cardholder data and prevent credit card fraud. One of the primary compliance standards under the PCI DSS is a mandate that businesses do not store sensitive authentication data after authorization occurs, even in an unreadable format. As discussed in the Corporate Counsel Business Journal, sensitive authentication data includes cardholder data such as full magnetic stripe data and contents of cards’ chip data, along with card verification values, card validation codes, and PINs.
Because Section 164.302 under HIPAA security rule mandates that healthcare organizations "implement security measures as needed to protect the confidentiality, integrity, and availability of electronic protected health information," healthcare companies taking credit card payments should also utilize encryption to protect electronic protected cardholder information. Although there is no set method for encrypting credit cards, PCI DSS recommends that sensitive authentication data be rendered unreadable through the use of an encryption method standardized in industry standards.
Other protections of cardholder information include restricting employees’ physical access to media upon which the authentication data is stored, implementing strict access controls, and conducting regular audits.
Emerging Trends for Storing Payment Cards
Future trends in how credit cards are regulated will continue for some time to come. Given the volatility in the retail industry, and increases in sophisticated attacks, it is hard to predict the outcome of how the government will eventually choose to regulate. Speculation about future trends can be summarized by the following: Historically, retailers have not been responsible for protecting payment card data. Going forward, merchant Credit Card Agreements will likely require merchants to maintain higher standards in terms of protecting cardholder data. Visa, in particular, has recently updated its Merchant Agreements to include the PCI DSS as a requirement going forward. The PCI DSS is a detailed list of security controls supported by PCI Security Standards Council , a non-profit supported by major payment brands including Visa and Mastercard. They are known for their enforcement of PCI DSS compliance. As the PCI DSS is implemented more widely across the industry, it is likely more merchants will become certified. Therefore, brand protection will also be a consideration going forward. There may be an increase in issuing brands conducting audits and other ways of monitoring activities related to card data. Retailers should expect to be audited more frequently and should look at their controls and data privacy practices with a more critical eye.