PCIDSS and the Legal Framework for Security: An Update on Recent Developments and Policy Directions

I. Introduction

Consumer risks associated with unauthorized payment card usage have largely been assumed by others within the payment card matrix, leaving consumers mostly immune from financial liability. But related risks from unauthorized access to personal information remain as an important area of concern for consumers, who face potential costs outside the realm of control of payment card system participants. For the most part, the security measures imposed within the payment card matrix have been the product of private ordering, with Payment Card Industry Data Security Standards (PCIDSS) emerging as a pervasive standard. Compliance measures emerging around PCIDSS have also been the product of private ordering, and these measures have taken into account both prudential and technological limitations associated with the payment card matrix and its constituent members.

Private ordering for security is reinforced by important economic interests within the payment card industry, where security measures translate into customer trust, which is essential to the functionality of the payment card matrix and the profitability of participants. In a prior article, we have explored these economic motivations favoring private ordering as a solution to consumer concerns involving payment card data security, along with threats to that framework through legislation and litigation. This essay provides an update, focusing on recent developments in litigation and legislative fronts that may shape outcomes affecting PCIDSS as well as developments within the PCIDSS model. Despite the likelihood of increased government intervention, private ordering can be expected to remain central to the development of appropriately nested security measures that will lead to continued trust and participation in the payment card system. As we discuss below, trust, and not absolute security per se, should be the ultimate benchmark for moving forward with enhancements to this system.

II. Legal Intervention: Significant Litigation and Proposed Legislation

Litigation and proposed legislation have impacted security measures within the payment card matrix in the past year. Despite assurances of conformity with PCIDSS, security standards are not foolproof. When breaches occur, private litigants, state attorneys general, and legislators have become involved. Although consumers have found it difficult to prove compensable losses for the purpose of bringing claims against merchants with security breaches, issuing banks have been more successful in extracting settlements from those merchants. State attorneys general have also achieved successful settlements, despite uncertainty in the legal framework for liability. Some of the significant cases, as well as proposed legislative interventions, are discussed below.

A. Litigation

The massive security breach within The TJX Companies – affecting more than 45 million credit and debit card accounts – provided an important wake-up call for payment card industry participants. This breach continues to impact the scrutiny of data security standards and compliance with those standards. Issuing banks who incurred significant costs as a consequence of the breach, including the costs of replacing customer cards, sought relief through litigation, and some consumer groups also joined in the fray. This litigation, involving as many as 18 cases, has gradually been resolved through settlements. All totaled, The TJX Companies have paid more than $130 million in cash, along with an estimated $177 million in consumer discounts and payments for credit monitoring services for consumers affected by the breach. It also settled claims brought by state attorneys general of 41 states, in which TJX agreed to payments of more than $9 million as well as the imposition of additional data security requirements, despite the fact that the company “firmly believes that it did not violate any consumer protection or data security laws.”

While the disclaimer of wrongdoing is a standard litany in settlement announcements, the truth of the matter here is that TJX might have won had it chosen to continue litigating these claims. Within the cases that made it to judgment on preliminary matters, TJX and its co-defendant Fifth Third Bank, the processing bank for its credit card transactions, came out quite favorably. Claims for negligence and breach of contract were dismissed by the trial court, and earlier this year they were affirmed in the First Circuit.

The negligence claims failed on account of the so-called economic loss doctrine, which holds that “purely economic losses are unrecoverable in tort and strict liability actions in the absence of personal injury or property damage.” Although one of the claimants argued that it had property damage through the fact that payment card information was rendered worthless, this was rejected as a cognizable form of injury based on Massachusetts law. Consumers seeking tort recoveries would also face barriers from these doctrines, as well as the additional problem of showing a compensable loss based solely on data breach, which is a critical prerequisite to standing to maintain a claim. Thus, these tort-based claims seem to include serious barriers that protect the industry from liability that might otherwise induce greater attention to breaches.

As for the contract claims, the claimants failed to show that they were covered by relevant contractual language. Security requirements were included in relevant contracts between TXJ and its processing bank, as well as in the card processing agreements with Mastercard and Visa. However, the claimants were not parties to these contracts, and relevant state law did not support the claimants’ position that they were intended to be third party beneficiaries of those contracts; indeed, the contracts expressly limited their obligations and benefits to the contracting parties, thus excluding others from this status. Here, too, contract law serves as a protection from third-party liability.

The First Circuit allowed some other claims to go forward, including a claim based on “negligent misrepresentation,” which allows recovery in tort based on failing to exercise reasonable care or competence in obtaining or communicating information to others, which falsely guides them in their business transactions. However, the court also questioned whether proof could be adduced for this claim, cautioning that “[i]t would almost surely stretch Massachusetts law too far to say that merely doing credit card transactions with issuing banks, whether directly (Fifth Third) or indirectly (TJX) is a representation implied by conduct to third parties that defendants were complying with detailed security specifications of Visa and Mastercard.” Although the First Circuit allowed further proof to be offered at trial, it also noted, “The present claim thus survives, but on life support.” Thus, if this claim had gone forward, it does not seem to present a very serious threat.

A final claim that did survive involved a state law provision allowing claims for “unfair” or “deceptive” trade practices. This claim is linked closely to Section 5 of the Federal Trade Commission Act, which provides authority to the FTC to address unfair or deceptive practices. In this case, TJX had been the subject of a consent decree from the FTC with regard to this security breach. Although the category of “unfair” conduct is admittedly vague, the court found that FTC precedent and factors serve to offset this vagueness. Here, if appropriate facts are proven, “a court using these general FTC criteria might well find in the present case inexcusable and protracted reckless conduct, aggravated by failure to give prompt notice when lapses were discovered internally, and causing very widespread and serious harm to other companies and to innumerable consumers” that would give rise to relief under this provision.

Of course, The TJX Companies could not have known these outcomes for sure at the time of settlement. Litigation portends significant business disruptions, which must be taken into account in assessing whether settlement is prudent. Moreover, the “unfair” trade practice claim under state law presents an environment of significant legal uncertainty, which a prudent decisionmaker may well choose to avoid. But coming out of this litigation, we are left with considerable uncertainty from the judicial sector as to what standard of behavior is required with regard to data security and the basis for a successful claim.

Nevertheless, economic costs of nearly $300 million from a security breach caused by criminal conduct surely causes corporate officers to take notice. But what action is appropriate? And how does existing law provide the answer to this question? As other breaches have rolled through the media, shareholders have also taken notice. When a significant stock price decline occurs in connection with the announcement of a data security breach, is corporate management responsible for notifying shareholders of these risks? A study released last spring by Hiscox, an insurance firm based in Bermuda that sells, among other things, “hacker insurance,” suggests that a significant number of firms are not disclosing these risks in their SEC filings. Moreover, among the firms surveyed with obligations to be PCIDSS compliant, more than one third of these firms were not compliant.

Three points are particularly relevant in this regard. First, it appears that state law is the primary foundation for developing these claims. When an international payment network is involved, merely deciding which state’s laws should apply presents a significant problem. For example, in the TJX litigation, Fifth Third Bank, the payment card processor, did its work outside of Massachusetts. Should its conduct conform to Massachusetts law? Second, even if we know which laws apply, should the regulation of important interstate activities be relegated to a patchwork of state regulation? Third, if laws are to provide not only the source of standards, but also allocate the costs of failing to meet those standards, will legal solutions developed through the courts adequately define the standards and efficiently allocate the costs? If so, will the standards remain current, in pace with information technology? Needless to say, there are certainly grounds for skepticism on these points. The law as a sole source of a holistic solution appears far from reality.

 

B. Proposed Legislation

Data security breaches have received attention from legislatures at both state and federal levels. Most states have enacted legislation that requires public disclosure of data security breaches, which applies not only to payment card information, but also to a broad range of other personal information. Such efforts have had a salutary effect on bringing out the consequences of inadequate security, as well as allowing the affected individuals to take appropriate corrective action. However, those efforts provide, at best, a patchwork solution, raising significant potential conflicts for businesses engaged in multistate business operations.

To date, only Minnesota has enacted any legislation to address the problem of who bears costs associated with the breach of security within the payment card system. Minnesota law provides a statutory basis for recovery to the issuing banks, effective beginning August 1, 2008, for a breach of security in violation of the statutory security standards. The recovery may include costs incurred in order to protect the information or cardholders, cancellation and reissuance of payment cards or other access devices, notification costs, as well as the costs of unauthorized transactions. The standard for liability, however, reflects a rather weak standard, which would include retaining customer data more than 48 hours after the transaction has been authorized. Of course, this falls short of PCIDSS compliance. As one commentator has noted, a PCIDSS compliant merchant would certainly meet the standard and avoid liability under the statute despite the fact that a security breach occurred, but a merchant that complied with Minnesota’s laws may not necessarily be PCIDSS compliant. Significantly, this legislation fails to provide a realistic standard for proper commercial behavior. Instead, it imposes liability only for a subset of commercial behavior that might be regarded as highly improper. This ultimately adds little to the solution of the question of defining a broader standard for behavior which might result in shifting costs.

Congress has also looked at the matter of data security for payment cards, with a particular focus on whether the matter of self-regulation through PCIDSS is enough. A bill has recently passed the House, HR 2221, the Data Accountability and Trust Act, which addresses several aspects of the data security breach problem. First, it provides a federal rule for notification of data security breaches, thus resolving the problem of potentially competing state demands. Second, it delegates authority to the FTC to promulgate regulations within one year “to require each person engaged in interstate commerce that owns or possesses data containing personal information, or contract to have any third party entity maintain such data for such person, to establish and implement policies and procedures regarding information security practices .…” The Act specifically preempts state information security laws, thereby ensuring a single federal source for compliance.

As for enforcement, the Act does not provide a private cause of action. The FTC and state attorneys general are both empowered to enforce these rules, including the imposition of civil penalties and fines, not to exceed a total of $5 million. Thus, the matter of whether consumers, issuing banks, or shareholders may bring claims for damages is not resolved here.

Also unresolved by this bill, of course, is the content of the policies and procedures that must be maintained in order to avoid these penalties. Building upon what has already been accomplished in the payment card industry would seem to be a likely point for departure. Although PCIDSS is subject to criticism as not providing enough security, focusing on the products of private ordering here may become, at the least, an important starting point.

III. PCIDSS: Private Ordering at Work

The Payment Card Industry (PCI) Data Security Standards (DSS) emerged out of the payment card industry’s business needs. Initially, such standards in various forms were set in motion by each card issuer. Given the inherent risks of the payment card industry, the realization that a patchwork of diverse standards will not work became apparent. Furthermore, with less than a dozen major card brands controlling over 90% of the card industry, players realized that cooperation in this arena would be an effective approach for the industry as a whole. Consequently, the industry, with limited participation from other stakeholders, put together a set of requirements, called standards. As we noted earlier, these standards have the force of economic utility, which cannot be easily ignored. It is through contractual commitment that a waterfall of participants in the industry, from individual retailer to merchant banks to the card brands, should honor their commitment to compliance with these requirements.

In October 2008, the PCI Security Standards Council released Version 1.2 of the standards. The revisions focus on clarifications and explanations, and on removing redundant sub-requirements. Of the numerous changes made, the Council lists the following four as enhancements:

• Requirement 4.1.1 now emphasizes the use of strong encryption technologies for wireless networks.

• Requirement 5.2 now provides for separate testing procedures to verify that all anti-virus software is current, actively running, and capable of generating logs. The four separate procedures refer to verification of the policy, software installation, system components, and logs.

• Form for attestation of compliance for onsite assessments – merchants, has been added (Appendix D).

• Form for attestation of compliance for onsite assessments – service providers, has been added (Appendix E).

The new version essentially provides clarification through granularity and clears up some of the language to make meaning more precise.

A. Are We Secure Yet?

Is the Payment Card Industry secure? Despite some progress in the industry-led governance in this domain, compromises occur. As the web gains increasingly larger share of payment card transactions, both in number of transactions and the aggregate amount worldwide, the risks of such compromises will continue to frustrate the industry and its stakeholders, including consumers. The 2009 Data Breach Report issued by Verizon Business analyzed 90 confirmed breaches in 2008 affecting 285 million records. Their previous report, covering years 2004 through 2007, reported a four-year aggregate of 230 million transactions compromised during the period.

A striking statistic in the 2009 Verizon Business report is this: 81% of victims were not Payment Card Industry (PCI) compliant. The issue is not the spirit of the PCIDSS standards, but rather the execution by participants of the process of remaining compliant. Penalties and litigation, not to mention the government’s reach to stop the breaches, persist past such incidents, but with only marginal systemic improvements in the sense that, when a weakness is exposed, sophisticated actors will seek to address that weakness. But that is surely not the end of the persistent battle to prevent criminal exploitation of weakness. Litigation results, such as the settlements discussed above, merely reallocate losses, albeit with significant additional transaction costs.

B. Core Issue: Security or Online Trust?

The market mechanisms in the payment card transactions environment appears to thrive on the consumer trust. As we indicated earlier, a major chunk of the consumer comfort in online financial transactions seems to lie in the protection afforded to them, that they will be compensated for financial losses they incur. However, there are other consumer costs also. For example, Listerman and Romesberg report that it takes an identity theft victim an average of 58 to 231 hours of personal time to deal with all of the correcting and legal issues. And even Ben Baranke is not exempt from this, as evident in a compromise that hit his wallet recently.

Consumers don’t necessarily want, or desire, perfect security. They need to trust the system in order for them to be able to transact on an ongoing basis. Trust can only be asked of the customer, not provided by the merchants. Therefore, it is important to recognize that the industry would be prudent to work with a surrogate – secured systems – to seek online trust. Thus, since online trust seems to be a somewhat uncontrollable phenomenon, the PCI seeks to generate consumer trust through security. Imperfect as it is, the security could lead to consumer trust, thus sustaining the market mechanism for thriving consumer activity.

We scoured the PCIDSS Version 1.2 for the terms “trust,” “trusted system,” and “security.” Whereas there are numerous references to security, there is no mention of trusted system(s) in the entire standard. Requirement 1, Install and maintain a firewall configuration to protect cardholder data, is preceded by a heading, Build and Maintain a Secure Network. The preamble to specific sub-requirements within Requirement 1 talks about trusted and untrusted networks but ultimately switches to the comfort zone of security without laying a bridge between security and trust. And perhaps this is as it should be, when we are speaking of technical standards. But the ultimate goal remains a trusted system, in which customers are not afraid to spend and merchants are not afraid to participate. If threats are too great, consumers will keep their cards in their pockets. But if merchants or other participants face potentially crippling losses from a reallocation of costs, their participation is at stake, too.

IV. The Way Forward

The payment card transactions environment is complex. If we look at it carefully, it involves issues of pricing and resource allocation (or reallocation), consumer loyalty, online trust, global reach of the industry, customer information protection, and business value structuring across a network of value adding participants. Numerous stakeholders are in the mix, with different motives and goals.

Policy analysis that focuses solely on security will undoubtedly reach the conclusion that the current model of self-regulation is not achieving this goal. Congressional hearings this past spring rehearsed a litany of breaches, including Hannaford Brothers, TJX, Heartland Payment Systems, and others, which typically involved gaps in PCIDSS compliance. The self-regulation model implicitly recognizes that security is not, and will never be, an achievable goal. The network includes participants with broad ranges of technological sophistication and economic wherewithal to implement security measures and bear the costs of monitoring compliance with those measures. These pragmatic limitations, coupled with the inherent ingenuity of humans (a trait unfortunately shared by hackers, too), ensure that security failures will occur in any payment system.

Apart from fines that may be imposed, the self-regulation model effectively allocates costs within the system to merchants (for chargebacks) and to issuing banks (for reissuing cards). These participants, in turn, are likely to export those costs to their customers, albeit discreetly through pricing of their products and services. Intervention through either legislation or through litigation to reallocate losses within this model may reflect political preferences for some participants over others, but such interventions inject new transaction costs into the mix. And to the extent government seeks additional protections for consumers, those reallocations may prove temporary to the extent that customers are likely to become the ultimate cost bearers for any system.

Reallocations need to be based on clear and cognizable standards for security obligations, which are lacking within the legal system but which are present, more or less, within the system of self-regulation. Although the Minnesota law discussed above may achieve clarity by defining minimal standards that are far below the expected level of behavior, such an approach is unlikely to induce trust. However, a more robust approach presents significant new challenges. Whether the FTC can achieve this feat in one year, as directed by HR 2221, is doubtful. Whatever they do achieve is likely to be subject to the same criticisms of PCIDSS – those standards will not necessarily achieve security either, and it is far from clear that whatever they do achieve will enhance trust in this system.

Disclosure laws, on the other hand, may serve an important role in protecting consumers from a false sense of trust. This kind of intervention is likely to enhance the effectiveness of self-regulation through reinforcing market-based incentives toward preserving security and addressing shortcomings. To the extent HR 2221 helps move us toward common standards for disclosure, thereby avoiding uncertainty and conflicts that emerge from a patchwork of state laws, this is a positive development. Disclosure requirements also reinforce trust by precipitating offers of assistance such as credit monitoring, which are emerging as expected and customary practices by firms who experience security breaches. Disclosure also provides a valuable signal to other participants, including consumers, that they have obligations to be vigilant. We all have personal information circulating in networks, which makes us vulnerable. As we have used technology to address other technology problems, such as spam, private monitoring systems have emerged to help address threats. Efforts by the FTC to impose monitoring obligations on financial services providers may also assist consumers in this process.

Government should tread lightly in this dynamic area. Although it is tempting to make points with voters through expressing the good intention of protecting consumers from the errors of others, consumers are likely to become the ultimate cost bearers. Adding more technical security standards in an environment in which existing standards are often not in compliance leads to justifiable skepticism as to whether this approach will benefit consumers. And if compliance costs increase significantly, the cure may be worse than the disease.

Courts should also exercise restraint in expanding legal doctrines that would require cost-shifting among participants in the payment card marketplace. The current scheme diffuses costs in a manner that avoids significant transaction costs and the threat of crippling liabilities from a security failure that are admittedly difficult to prevent ex ante. Threats of liability may devote more resources to compliance, but the realities of the marketplace suggest limits that courts are ill-equipped to consider. If the costs associated with security risks are too high, merchants may also choose to withdraw. Those who think this is not possible should consider the practices of merchants today with regard to personal checks. For many, the costs and risks of this payment medium are simply too great. Locating an ATM in the store instead of taking checks or payment cards is an emerging option we have observed in some retail locations, but this may present new risks, including tax-enforcement issues that lurk in a cash-based economy.

We can do better at keeping customer data secure. The industry knows this, too, as it will continue the process of self-examination. But the broader concept of trust, in which security plays a complementary role along with other values, including cost-effective utility, deserves greater attention by policymakers considering intervention and refinements in the payment card system.