Among the merchants, security auditors, credit card issuers and card transaction servicing firms in attendance at the PCI Data Security Standards Conference in New York City on Wednesday was a cadre of attorneys.
Many merchants have legacy payment systems that store prohibited data or lack security features. When a data breach takes place, you can bet company executives will scramble to find the best attorneys and protect the company from further damage. But one of the messages at the conference is to involve the company’s general counsel as part of a PCI data compliance project. Simply put: Cover your tail now before the inevitable happens.
At the end of the day, if a retailer experiences a data breach only PCI DSS compliance will help defend the company in any legal battle, said John Wood, an attorney who attended the conference and is with a firm that has handled massive data breach cases.
“I would not put any great hope in the fact that a safe harbor provision will in any way give you a safe harbor,” Wood said.
Visa’s Jennifer Fischer, called PCI DSS compliance a three-step approach. 1) Eliminate the storage of prohibited cardholder data. 2) Implement secure payment applications. 3) Secure the overall environment using the PCI standard (encryption).
Easier said than done. Retailers using legacy payment equipment in multiple locations can expect to spend millions on compliance.
So how do you get management’s attention to spend big bucks on PCI DSS compliance? Mark Rasch, director of technology at FTI Consulting is also an attorney who headed the Justice Department’s computer crime unit. CISOs seeking to get a project approved by management can quantify the benefits by finding out the value of accepting credit cards from customers, Rasch said.
“By pegging the value of PCI compliance to the value of being able to process credit cards you have put a number on it that management can better understand,” he said. “They won’t want to revert to accepting only cash.”
While PCI DSS has been treated mainly as a technology problem, Rasch said it is really a problem of managing risk.
“You’ll need in-house lawyers to champion the issue,” he said.