Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Financial Services

Subscribe to Financial Services RSS Feed

Legal Departments: New PCI DSS Requirements Mandatory in June

Posted in Financial Services

PCI Council publishes new PCI Data Security Standard Version 3.1 and provides very short time to implement new encryption standards.

The PCI Council just published a new version of the PCI Data Security Standard (PCI DSS).  The new Version 3.1 (agreement required) is available to use immediately and becomes mandatory on June 30, 2015.  If your company’s annual report on compliance is due on July 1 or after, you are required to evaluate your compliance against the new Version 3.1.  The PCI Council generally expects all companies to follow the new version when it becomes mandatory, even if you have already completed your report on and attestation of compliance for the year.

As we previously reported, the most significant change in this update is that SSL (Secure Sockets Layer) and earlier versions of TLS (Transport Layer Security), both very popular encryption standards that have been used to help protect online payments, do not satisfy the PCI’s mandatory, strong encryption requirements.  This means that if your website’s shopping cart is using one of these legacy encryptions standards, it is going to need to be updated.  It may not be a quick or simple fix, especially if other ... Continue Reading

New PCI Tokenization Guidelines

Posted in Financial Services

Last week, the Payment Card Industry Security Standards Council released new guidelines related to the security of tokenization products.  The guidelines are a set of technical best practices for evaluating tokenization products that will be used to replace the primary account number (PAN), commonly known as the full credit card number, with a substitute valued called a “token.”

The guidelines provide best practices, evaluation procedures and guidance in five different areas:

  1. General Guidelines: Includes thirteen general guidelines that apply to all forms of tokenization.
  2. Token Generation: Provides recommendations for securely generating tokens and applies to all devices, processes, mechanisms and algorithms used to create tokens.
  3. Token Mapping: Addresses guidelines for reversible tokens that can be mapped back to their original PANs and includes access controls and logging requirements for de-tokenization requests.
  4. Card Data Vault: These recommendations are only applicable to reversible tokens and mandates encryption of the PAN and access controls be used to access the vault where the PAN-to-token table is stored.
  5. Cryptographic Key Management: These define key management practices for all encryption performed by the tokenization product.

Many businesses are using payment tokens in order to reduce the size and complexity of ... Continue Reading

Webinar: Re-Identification Risks for Credit Card Data

Posted in Data Protection, Financial Services

Join us March 10 at 1PM EST (10AM PST) for Re-identification Risks for Credit Card Data,featuring DWT payments team members Christin McMeley and Brian Hurh as well as Khaled El Emam, Founder and CEO of Privacy Analytics.

An article was published recently in Science magazine claiming that it is “easy” to re-identify credit card transaction data that has been anonymized.

We will look critically at the study’s findings and its shortcomings, as well review the legal requirements for sharing credit card and other financial data under U.S. laws. Big data has transformational potential – let’s explore how companies can realize that potential, while protecting consumer privacy at the same time.

Register here.... Continue Reading

Latest PCI Standards Pushes Toward Risk Management

Posted in Data Protection, Financial Services

In today’s Compliance Week, Christopher Avery discussed the latest PCI Data Security Standard (PCI-DSS).

“There are a still a large number of organizations that look at PCI DSS as just a compliance obligation with point-in-time assessments,” says Christopher Avery, a data security expert with the law firm Davis Wright Tremaine. “That’s not to say that PCI is not important, but they put it to the side until one of the annual attestation windows approaches.”

“There is a renewed focus on the relationship among service providers,” Avery says. “There has always, historically, been some tension there with respect to who is responsible for what and who does what. Under Version 3.0 there are structural changes that make a clearer delineation of who is responsible for what.”

Read the entire article on Compliance Week’s website.

... Continue Reading

Legal Departments: Are You Ready for The New PCI DSS Requirements?

Posted in Data Protection, Financial Services, Technology

Starting Jan. 1, 2015, the Payment Card Industry Data Security Standard (PCI DSS) Version 3.0 (click-through agreement required) will replace Version 2.0.  The PCI DSS is a set of requirements developed by the four major credit card networks and is designed to enhance the security of credit card transactions and cardholder data.  The PCI DSS requirements apply to any entity involved in credit card processing, including merchants, processors and service providers that store, process or transmit cardholder data.  In short, the PCI DSS applies to virtually all companies, big and small, that take credit card payments from consumers or help facilitate those transactions.

In November 2013, the PCI released Version 3.0 of the PCI DSS and made it available for voluntary use in January 2014.  During 2014, covered entities were permitted to use either Version 2.0 or the updated Version 3.0 in order to certify their annual PCI DSS compliance.  However, after December 31, 2014 covered entities will be required to use Version 3.0 for their attestation and internal compliance purposes.  Version 3.0 not only updates and clarifies existing requirements, but also includes several new requirements.

The PCI DSS rules are not just technical requirements.  The new requirements ... Continue Reading

FACTA Class Actions

Posted in Financial Services

In the July 2014 issues of The Review of Banking & Financial Services, DWT payments team members Burt Braverman and Micah Ratner wrote about the truncation requirement of FACTA, which has spawned a wave of class action litigation with potentially ruinous damages for “willful” violations. The authors describe the court rulings in these cases at the pleading stage, at class certification, and at summary judgment. They also review state truncation laws, card network rules, and the PCI DSS. They close with suggested steps for businesses to take to reduce the potential for future FACTA lawsuits and mitigate damage awards in the event of such litigation.

To read the full article, click here.... Continue Reading

Federal Financial Institutions Examination Council Launches Cybersecurity Webpage and Begins Cybersecurity Assessments

Posted in Cyber and National Security, Data Protection, Financial Services, Marketing and Consumer Privacy

For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers.” Thomas J. Curry, Comptroller of the Currency

In comments before the Risk Management Association’s Governance, Compliance, and Operational Risk Conference last month, Thomas J. Curry, Comptroller of the Currency and Chairman of the Federal Financial Institutions Examination Council [1] stated that “Attacks on our information infrastructure are everywhere. … For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers. Some attackers target banks because they want to undermine confidence in our country’s financial system. Penetrating the information defenses of any one system may enable attackers to penetrate another, and that in turn could enable more widespread attacks on the broader economy.”

Comptroller Curry stated that helping to make banks less vulnerable and more resilient to cyber-attacks has been one of his top priorities as Comptroller and Chairman of the FFIEC. As part of this effort, he formed the Cybersecurity and Critical Infrastructure ... Continue Reading

FFIEC Finalizes and Clarifies Its Social Media Policy

Posted in Financial Services

The Federal Financial Institutions Examination Council (FFIEC) recently released its final supervisory guidance on social media use.  In January 2013, we wrote about the FFIEC’s proposed guidance in connection with the applicability of existing laws and policies to the social media activities of financial institutions. Since that time the FFIEC received 81 official comments on its proposal. The final guidance is not markedly different from the proposed guidance but clarifies the proposal in a few areas.

CONTINUE READING…... Continue Reading

Genesco Wins One, Loses One in Its Case Challenging PCI DSS Fines and Assessments

Posted in Financial Services

On November 25, 2013, Chief Judge William Haynes filed the latest order in Genesco v. Visa, Civ. No. 3:13-cv-00202 (M.D. Tenn.). In his one-line order, Judge Haynes denied Genesco’s motion for partial summary judgment “without prejudice to renew after a reasonable period of discovery.” Genesco, Nashville-based retailer with 2,440 stores in the U.S., U.K., Canada, and Ireland, sued the three Visa entities in March 2013 after Visa imposed a total of $13,298,900 in PCI DSS noncompliance fines and assessments. Genesco had asked for judgment as a matter of law on its claims that Visa’s fines for alleged noncompliance with the Payment Card Industry Data Security Standard (“PCI DSS”) (1) violated Genesco’s acquiring banks’ contracts with Visa; (2) violated the California Unfair Businesses Practices Act (“UCL”); or (3) unjustly enriched Visa. The court’s denial of Genesco’s motion leaves most of the key issues in this important case to be resolved.... Continue Reading

Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail

Posted in Financial Services, Global, Policy and Regulatory Positioning

On April 16, 2013, DWT lawyers James Mann and Ronnie London presented on the topic of “Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail” at the RAMP Advanced Commerce and Mobile Retail Services Summit in Chicago.

The presentation focused primarily on two topics:

  • Why the Networks Are Here to Stay (and Some Suggestions for Dealing with Them)
  • Update on Mobile Regulatory Issues

To view the full presentation, click here.... Continue Reading

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

Posted in Cyber and National Security, Data Protection, Financial Services, Global, Marketing and Consumer Privacy, Policy and Regulatory Positioning

The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC’s view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers’ credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.... Continue Reading

California Governor Vetoes Proposed Law Imposing Stronger Data Protection Requirements

Posted in Cyber and National Security, Financial Services, Policy and Regulatory Positioning

Posted by Charlene Brownlee

California Governor Arnold Schwarzenegger vetoed AB 779 — legislation that would have amended California’s data security breach legislation to impose stronger data protection requirements than the Payment Card Industry Data Security Standard

AB 779 would have prohibited businesses that sell goods or services to any resident of California and that accept as payment credit cards (and debit cards or other payment devices) from, among other things, storing, retaining, sending, or failing to limit access to payment-related data, and from storing sensitive authentication data subsequent to an authorization, unless a specified exception applied. Further, the bill would have made such businesses liable to the owner or licensee of the information for the reimbursement of costs of: (i) providing notice to consumers as required by existing data breach notification law; and (ii) card replacement as a result of the breach.... Continue Reading

Bank Regulatory Agencies Release Updated BSA/AML Examination Manual

Posted in Financial Services

Posted by Peter Mucklestone

The Federal Financial Institutions Examination Council (FFIEC) recently released an updated 2007 version of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, which updates and further clarifies supervisory expectations since the 2006 version was published last year. The Manual is used in connection with examinations of supervised financial institutions.

The revised version is based on feedback from the banking industry and examination staff. The Office of Foreign Asset Control (OFAC) collaborated on the revisions made to the section that addresses compliance with economic and trade sanctions administered and enforced by OFAC.

The 2007 version of the manual is located on the FFIEC BSA/AML InfoBase website.... Continue Reading

OFAC Publishes Guidance for Banks

Posted in Financial Services

Posted by Peter Mucklestone

The Office of Foreign Assets Control (OFAC) recently published a brochure titled "Foreign Assets Control Regulations for the Financial Community" dated June 15, 2007, to help banks comply with the statutes and regulations that OFAC administers.

OFAC administers laws and regulations, including the Trading With the Enemy Act and the International Emergency Economic Powers Act, which further U.S. foreign policy and national security objectives through trade embargoes, blocked assets controls and other commercial and financial restrictions. All U.S. persons, including banks, must comply with the laws and regulations that OFAC administers.... Continue Reading

OCC Approves National Bank Investment in Fraud Prevention Company

Posted in Financial Services

Posted by Peter Mucklestone and Jim Young

The Office of the Comptroller of the Currency (OCC) recently issued an Interpretive Letter (the “Letter”), which concludes that national banks have the authority under 12 U.S.C. § 24(Seventh) to make a noncontrolling investment in a certain limited liability company (the “Investee LLC”) that sells fraud prevention, identity verification, credential validation and payment/deposit risk services (the “Investee Activities”) to financial institutions, credit card issuers, check acceptance companies, brokerage firms, mutual fund companies, retailers, governmental agencies and others. 12 U.S.C. § 24(Seventh) contains a broad grant of authority allowing national banks to engage activities that are incidental to the "business of banking."... Continue Reading

SAR Forms Revised

Posted in Financial Services

Posted by Peter Mucklestone

The Financial Crimes Enforcement Network (FinCEN) has revised the forms of Suspicious Activity Report (SAR). Certain financial companies are required to file SARs with the Treasury Department to report suspicious activity relevant to possible violations of law or regulations. The new forms should not be used before June 30, 2007, and the old forms will not be accepted after December 31, 2007.

There are different forms for different reporting companies. Depository Institutions should use FinCEN Form SAR-DI, Securities and Futures Industries should use FinCEN Form 101, Casinos and Card Clubs should use FinCEN Form 102 and Insurance Companies FinCEN should use Form 108.

The revisions are intended to facilitate joint filings and thereby reduce the number of duplicate SARs filed for a single transaction.

The new forms may be viewed at the FinCEN website.... Continue Reading

Fincen Clarifies Independent Review Requirements for MSB AML Programs

Posted in Financial Services

The Department of the Treasury Financial Crimes Enforcement Network (Fincen) recently published Frequently Asked Questions (FAQs) providing guidance for money service businesses (MSBs) in connection with their anti-money laundering (AML) programs. 

Under the Bank Secrecy Act (BSA), MSBs must establish an AML program which sets forth at a minimum: internal policies, procedures, and controls; designates a compliance officer; provides for ongoing employee training; and provides for an independent audit function to test programs.   31 U.S.C. Section 5318(h).... Continue Reading

When Your Offline Security Is Threatened By Your Online Activity, Part II

Posted in Financial Services

Posted by Joe Addiego

As blogged a month ago, several Craigslist users have been the target of violent robberies after being “cased out” during online transactions for the sale of their personal goods. It turns out that in addition to posing risks to your physical health, the use of message boards or auction sites can affect your financial health, as well, even if the financial transaction occurs offline.

The San Francisco Chronicle just reported an unfortunate incident that happened to a San Francisco resident, who unknowingly cashed a phony check he received in exchange for the sale of two bicycles he had posted for sale on Craigslist. The check was for an amount in excess of what he negotiated, but despite some reservations, the seller cashed the check anyway. Apparently, the scam was intended to induce the seller to deposit the check at his own bank, so that the scammer can cancel the check and request that the bank return the money, which would come out of the unsuspecting seller’s account, before the check is spotted as a phony.... Continue Reading

Agencies Release FAQs For Internet Banking Authentication

Posted in Financial Services

Posted by Peter Mucklestone

The bank regulatory agencies recently released a frequently asked questions ("FAQs") document to aid in the implementation of the interagency guidance on Authentication in an Internet Banking Environment issued October 12, 2005 (the "Interagency Guidance"). The Interagency Guidance addresses the need for risk-based assessment, customer awareness, and security measures to reliably authenticate customers remotely accessing their financial institutions’ Internet-based financial services.

The FAQs are a representation of questions the agencies have received from financial institutions, agency examiners and technology service providers.  The FAQs are designed to assist financial institutions and their technology service providers in conforming to the Interagency Guidance by providing information on the scope of the Interagency Guidance, the timeframe for compliance, risk assessments, and other issues.

A link to the FAQs can be found on the Federal Financial Institutions Examination Council’s (FFIEC) Web site. ... Continue Reading

Lawyers as “Service Providers” Under the Gramm-Leach-Bliley Act

Posted in Financial Services, Policy and Regulatory Positioning

Posted by Peter Mucklestone and Stuart Louie

Despite a ruling by the D.C. Circuit Court of Appeals that lawyers are not "financial institutions" under the Gramm-Leach-Bliley Act ("GLBA") and therefore need not comply with the privacy obligations under the GLBA required of financial institutions, it is likely that lawyers are "services provides" for the purposes of the GLBA when representing GLBA-regulated financial institutions. (See American Bar Ass’n v. Federal Trade Comm’n, 430 F.3d 457, 21 Law. Man. Prof. Conduct 616 (D.C. 2005). The consequence? Lawyers representing GLBA-regulated financial institutions may be required to give contractual assurances about their information security practices and, in particular, the steps they are taking to protect any personal information they may acquire in the course of their representation.... Continue Reading

Customer Identification Responsibilities for Agency Lending Transactions

Posted in Financial Services

Posted by Peter Mucklestone and Stuart Louie

On April 25, 2006, the Department of the Treasury, Financial Crimes Enforcement Network issued a guidance statement in respect of Customer Identification Program (“CIP”) responsibilities arising out of transactions where U.S. banks or broker-dealers (“Agent Lenders”) arrange loans of securities to broker-dealers (“Borrowers”) under the Agency Lending Disclosure Initiative. In a typical agency lending transaction, an Agent Lender agrees to make securities (held by such Agent Lender on behalf of its customers (“Customers”)) available to be loaned to Borrowers through Agent Lender’s securities loan program. Other than imposing certain lending requirements and receiving periodic reports regarding loan transactions involving its securities, the Customers have virtually no role in the transaction. The master loan agreement is entered into between the Agent Lender and the Borrower and the Borrower typically records the loan transaction in an account in the name of the Agent Lender. Under the Agency Lending Disclosure Initiative, the Agent Lender, after the fact, will provide to Borrower information regarding the identities of the Customers whose securities have been loaned to the Borrower; however, the disclosure of such information is typically limited to certain personnel of Borrower responsible for credit risk management and ... Continue Reading

Federal Bank and Thrift Regulatory Agencies Publish Guide to Help Financial Institutions Comply with Information Security Guidelines

Posted in Financial Services

Posted by Peter Mucklestone and Stuart Louie

The federal bank and thrift regulatory agencies recently announced the publication of a compliance guide for the Interagency Guidelines Establishing Information Security Standards (the “Security Guidelines”). The Security Guidelines (i) implement section 501(b) of the Gramm-Leach-Bliley Act (GLB Act) and section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and (ii) establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information. The Small-Entity Compliance Guide (the “Compliance Guide”) is intended to help financial institutions comply with the Security Guidelines by summarizing the obligations of financial institutions to protect customer information and by illustrating how certain provisions of the Security Guidelines apply to specific situations.... Continue Reading