An estimated 164 million payment cards were in use in the UK in 2016. With almost £4 billion spent using contactless cards alone in April 2017 and new breach notice requirements coming into force soon, those involved (including card brands and merchants) need to consider how to respond to breaches, and potential alternatives to storing card data in the future.
Payment card data is a major target of hackers. High-profile malware and other cyberattacks have caused substantial volumes of customer card data to be compromised with alarming regularity throughout 2017. Payment card breaches have resulted in several massive litigations in the US, including consumer class actions lawsuits, involving merchants, card issuers and card networks. There have also been many costly investigations by regulators and payment card brands who have authority to investigate payment card breaches and violations of the Payment Card Industry Data Security Standard (PCIDSS); an evolving set of information security standards for organisations handling card data that varies based upon the number of transactions handled per year.
Regulation of payments is increasing
The enhanced data security protocols and breach notification obligations coming into force in May 2018 under the General Data Protection Regulation (GDPR), together with the current requirements of the PCIDSS, may bring this heavy data risk to Europe. Payment Services Regulations (PSRs) are being updated in stages (commencing in January 2018) to impose new obligations to ensure online card transactions undergo "two-stage authentication" and new rules requiring reporting card data breaches to local regulators will come into force.
PCIDSS is intended to protect cardholder data wherever it is processed, stored or transmitted. Card processors mandate that merchants comply with PCIDSS through their contracts. Compliance with this security standard requires organizations to take a long list of proactive steps to guard against data breaches, and compliance should meet the data security obligations of GDPR.
Cybersecurity threats change weekly and PCIDSS requirements are upgraded regularly and require periodic compliance reviews. Merchants who handle large numbers of transactions need to undergo periodic compliance assessments by an independent Payment Card Industry Council approved assessor. Merchants must meet PCIDSS requirements or risk significant fines, but meeting these conditions is not a guarantee of protection against hacking.
In terms of best practices, independent assessment and validation of security measures (even if not required by PCIDSS) for payment card data, including new solutions such as tokenization, should be undertaken on a regular basis to assess the security and resilience of methods employed. Due to the significant risk posed by payment card data, our US practice usually recommends that clients who are not very confident of their PCIDSS compliance and overall cybersecurity posture should seriously consider outsourcing this risk to a reputable and well-insured security vendor.
While PCIDSS and other security measures go some way to reducing the risk of a breach, the danger can never be entirely removed. Adequate breach response policies and procedures, updated and rehearsed by relevant personnel on a regular basis, also help with containment and minimization of the damage, if an incident were to occur.
Risks to keep in mind include: liability for significant card scheme fines, incremental fraud loss by card issuing banks (such as increased monitoring of transactions), fraud loss by customers and possible litigation and investigations. Merchants indemnify payment processors against loss which flows from card data breaches, and regulatory fines under GDPR are potentially vast.
To help manage such claims and reputational risks, best practices include:
- Understanding your legal, contractual and insurance notification obligations: A data breach will likely trigger contractual obligations to alert certain parties immediately, including the payment processor, insurer, customers and regulatory bodies.
Given that GDPR requires most personal data breaches to be notified to the ICO within 72 hours of becoming known to the data controller, having robust and tested procedures in place, including template correspondence to respond to such incidents, is critical. Contact details for key individuals should be regularly reviewed. For more information on DLA Piper's view of the key changes to the current data protection framework or download our "Explore GDPR" mobile app.
- Engaging external forensic investigators early: Appointment of a strong external forensic investigation firm to advise on containment and ongoing security of cardholder data is key. An external firm will provide objective advice on the circumstances and any remedial action required, as opposed to input being provided by in-house IT teams, whose objectivity is likely to be questioned.
- Managing third party agreements: Contractual arrangements with relevant parties, including hosting providers and other third party providers, should be reviewed to ensure they sufficiently address incident response scenarios. Contracts should cover specific provisions on quick notification of suspected breaches and how evidence from third parties (which may be relevant) will be preserved, accessed and reviewed. The scope of force majeure provisions within these agreements should be reviewed to determine whether they include any substantial cyber-attack.
- Ensuring a robust, and regularly tested response plan is in place: PCIDSS Requirement 12.10 involves the implementation of an incident response plan that is "thorough, properly disseminated, read, and understood by the parties responsible". It includes proper testing at least annually to ensure the process works as designed and to mitigate any missed steps to decrease exposure. These requirements are aligned with GDPR for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures that ensure the security of the processing.
Such a plan should include:
- The convening of a pre-identified Incident Response Team, reachable through out-of-band communications who will lead an investigation into the breach with appropriate third party forensic input (discussed above), including interviews of relevant personnel involved with the circumstances of the breach;
- Establishing a "privileged" reporting and communication channel, and steps to secure evidence and to create an audit trail documenting the circumstances of the breach;
- Preserving relevant data logs.
- Managing Reputational Damage: Have an effective communication plan in place for customers, investors and other key stakeholders. The messaging for each party needs to be well thought out to minimise the impact of the breach and hiring a communications firm with strength in breach response is advisable in the event of a large incident.
In the future, we anticipate technological advances designed to ensure data minimization - a central requirement of the GDPR that will reduce the need to transfer or store payment card data. There are already technologies such as tokenization that provide important protection against attackers gaining access to sensitive data. The introduction of tokenization and similar technologies can assist with adherence to the requirements of PCIDSS and GDPR and help reduce the volume of regulatory and statutory controls to comply with.
In the meantime, understand your risk and manage it. Regulatory and technological changes are coming fast, so take advice and be prepared.
For more information about issues raised in this article, please contact one of the authors below, or register for our upcoming 22 November 2017 TechLaw London event, where we will be joined by several senior industry executives who will be discussing data protection, cyber security, Fintech and artificial intelligence (AI)-related legal and commercial issues.