PCI DSS Guidelines Issued for Virtualized Environments, including Cloud Computing

June 22, 2011

As the business and consumer worlds migrate their activities to the cloud, it’s logical that participants in the payment cards ecosystem are also part of that inexorable movement toward all things cloud.  Relevant legal rules and industry best practices standards are still catching up to this shift.  In keeping with this, after ruminating on related considerations for some time, the PCI Security Standards Council last week issued a supplement to its PCI Data Security Standard focused on the peculiar risks associated with virtualized computing environments and resources, including cloud computing.  Not surprisingly, the general rule of thumb is that if a security feature is required in a non-virtual computing environment that feature is also required in the virtual environment.    However, the PCI document, entitled Information Supplement: PCI DSS Virtualization Guidelines, recognizes that assessing and addressing the security risks posed by virtualization technologies presents more daunting challenges than is the case with non-virtual resources. 

While there is good discussion within the Guidelines about many technologies, I found the cloud computing discussion most interesting.    The Guidelines recognize that each cloud service needs to be evaluated for its specific security and processing attributes in relation to PCI DSS compliance.  However, because of the generally comprehensive functions performed by many SaaS cloud providers as opposed to user organizations, the Guidelines make clear that greater PCI compliance burdens will likely be the responsibility of the cloud service provider and, as a result, the Guidelines outline a variety of matters for which a cloud services user should seek assurance from the provider. 

Link to Supplement


Washington State Joins PCI / Encryption Bandwagon for Data Breaches

March 22, 2010

Washington State is following closely on the heels of Nevada, which updated its data breach statute at the beginning of this year to add encryption usage and compliance with the Payment Card Industry — Data Security Standards (PCI-DSS) as a factor in determining liability for damages (see Tech Razor post on 1/1/10).  The Governor of Washington today signed into law an amendment to the state’s data breach statute that exposes certain businesses to liability for damages incurred by financial institutions unless the subject business utilized encryption or was PCI-DSS compliant at the time of the breach. 

The new provisions, which are effective July 1, 2010, will subject any business that processes over 6 million credit or debt card transactions annually to liability to financial institutions for not exercising reasonable care to prevent unauthorized access to account information unless the business encrypts processed account information or is  compliant with PCI-DSS standards.  Similarly, vendors of software and equipment designed to process, transmit or store account information or vendors that maintain account information for third parties will also be liable to financial institutions for damages that result from a data breach caused by the vendor’s negligence with respect to their software, equipment or services unless the data was encrypted or the vendor was certified within the prior 12 months as being compliant with applicable PCI-DSS requirements. 

Compared to the Nevada Act, the Washington legislation is narrower.  Washington’s latest revision is only focused on damages incurred by financial institutions and does not mandate encryption or PCI compliance, whereas Nevada imposes PCI-DSS compliance on businesses accepting credit cards and encryption on all other businesses transmitting or transporting covered data.  Although this amendment may be viewed as an attempt to address the very real concerns of financial institutions, which incurred substantial card re-issuance and other costs following several major data breaches over the past few years — most notably from the TJX/TJ Maxx and Heartland Systems incidents — the amendment is also a harbinger of both the increased attention focused on data security issues and of similar legislation that may be expected in the near future from other states.  In addition, the differing scopes of the Washington and Nevada statutes highlight the challenge that businesses will face by having to keep up with another layer in the patchwork of data-security requirements as such state-level legislation continues to emerge. 

PDF of Washington Amendment:  HB 1149 Washington State


Another Step Towards Mandatory PCI Compliance and Heightened Encryption Standards?

January 1, 2010

With the advent of the new year, Nevada becomes the first state to explicitly mandate compliance with the Payment Card Industry (PCI) Data Security Standard (PCI-DSS) by businesses that accept credit or debt cards.   Nevada Senate Bill 227 (the Nevada Act), which was signed into law in May 2009, takes effect January 1, 2010.  The law amends Chapter 603A of the Nevada Revised Statutes to require that any data collector doing business in Nevada that accepts a payment card in connection with a sale of goods or services, must comply with the current version of the PCI-DSS, as adopted by the PCI Security Standards Council no later than the date for compliance set forth in the PCI-DSS or by the PCI Security Standards Council. 

While compliance with PCI standards has been proposed previously by other states (and in 2007 Minnesota adopted its Plastic Card Security Act, which included PCI-like elements), no other state has directly imposed the PCI-DSS standards on businesses as a matter of law.  Card merchants in Nevada and elsewhere were already required by credit card issuers, such as Visa and Master Card, to comply with the PCI-DSS as a condition to the ability of such merchants to accept payment cards.  The difference is that Nevada approach makes this a legal requirement for those doing business in Nevada rather than simply an industry standard.

The Nevada Act also imposes an encryption requirement on businesses that transmit personal data outside of the secure system of the business.  Unlike in other states, such as Massachusetts, where encryption is referenced in applicable data breach statutes, the Nevada law goes further by specifying that the type of encryption must have been adopted by an established standards setting body, such as the Federal Information Processing Standards issued by the National Institute of Standards and Technology (NIST), and the business must use appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, such as the NIST.

Because there is not a clear remedies provision in the Nevada Act, the Nevada law does not make clear what the consequences are for failure to comply, and whether there is a private right of action or whether a violation may result in only an enforcement action by a state agency.  However, the Nevada Act does provide  a safe harbor from liability for damages by a business that is in compliance with the PCI-DSS or encryption standards, as applicable, where the breach was not caused by the gross negligence or intentional misconduct of the business or any of its agents.  This appears to create a very nice liability shield from third party claims, so it is logical to assume that the statute is in fact intended to expose a non-compliant business to third party damages claims.

Link to Nevada Act:   https://www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf