Starting Jan. 1, 2015, the Payment Card Industry Data Security Standard (PCI DSS) Version 3.0 (click-through agreement required) will replace Version 2.0. The PCI DSS is a set of requirements developed by the four major credit card networks and is designed to enhance the security of credit card transactions and cardholder data. The PCI DSS requirements apply to any entity involved in credit card processing, including merchants, processors and service providers that store, process or transmit cardholder data. In short, the PCI DSS applies to virtually all companies, big and small, that take credit card payments from consumers or help facilitate those transactions.
In November 2013, the PCI released Version 3.0 of the PCI DSS and made it available for voluntary use in January 2014. During 2014, covered entities were permitted to use either Version 2.0 or the updated Version 3.0 in order to certify their annual PCI DSS compliance. However, after December 31, 2014 covered entities will be required to use Version 3.0 for their attestation and internal compliance purposes. Version 3.0 not only updates and clarifies existing requirements, but also includes several new requirements.
The PCI DSS rules are not just technical requirements. The new requirements will likely impact the organization’s Legal Department. For example, in addition to helping your business clients interpret the new and revised PCI DSS requirements, the Legal Department may also be responsible for implementing the new requirements related to third-party contracting, specifically Requirements 12.8.5 and 12.9.
Effective January 1, 2015, Requirement 12.8.5 requires organizations to “maintain information about which PCI DSS requirements are managed by each [of its] service providers, and which are managed by the [organization itself.]” The PCI DSS defines “service provider” as a “business entity … directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity” (emphasis added). The credit card networks themselves are not considered service providers. This new requirement is complementary of the existing requirements in 12.8 that obligate the covered entity to implement and maintain policies and procedures to manage service providers who receive cardholder data. According to guidance provided in the PCI DSS, the intent of this new requirement “is for the assessed entity to understand which PCI DSS requirements their providers have agreed to meet.” The Legal Department is often integral in helping the organization understand how existing agreements with service providers allocate the responsibilities to the respective parties. Likewise, for new service providers, the Legal Department will be needed to help ensure that the appropriate contractual provisions are identified as part of the due diligence process and included in the vendor’s written agreement.
Under new Requirement 12.9 (best practice until June 30, 2015, required thereafter), service providers must acknowledge in writing to their customers “that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent they could impact the security of the customer’s cardholder data environment.” While the certifying entity has always been required to have a written agreement with its service providers, the service providers have not had a reciprocal requirement. As a result, some service providers deferred or even resisted acknowledging their responsibilities for securing cardholder data, since the lack of an agreement did not prevent the service provider from certifying its own compliance under the PCI DSS. The new requirement mirrors the existing requirements found in 12.8.2 and makes the obligation of having a written acknowledgement directly applicable to the service providers. Indeed, the PCI DSS guidance says that the new “requirement [12.9] is intended to promote a consistent level of understanding between service providers and their customers about their applicable PCI DSS requirements.”
If you are counsel for an organization that is a PCI service provider, you may be asked to determine whether a written agreement that satisfies Requirement 12.9 is in place with all of your applicable customers. If there are any gaps, the organization will have until July 1, 2015 to comply. If you are counsel for an organization that uses PCI service providers, you may be receiving requests over the next six months from those service providers to sign an acknowledgment related to the parties’ responsibilities under the PCI DSS. Either way, you should be watchful for any language that alters the substantive responsibilities of the parties or that is inconsistent with how those responsibilities are internally documented for the purposes of Requirement 12.8.5. After June 30, 2015, both the customer and service provider will have to make certain that the contractual acknowledgement is sufficient for their respective obligations under Requirements 12.8.2 and 12.9.
Beyond new requirements 12.8.5 and 12.9, the Legal Department, in conjunction with the organization’s technical, financial and internal audit business units, will continue to play a key role in interpreting and implementing the new requirements found in PCI DSS Version 3.0.