Entries tagged with “Regulation”.


You may have seen headlines (small ones, but headlines nonetheless) regarding the re-authorization of the Safe Web Act.  The full name of the act, which is far more descriptive of its actual function, is ‘‘Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006.’’  As implied in its title, the bill was originally passed in 2006, but was set to expire this year unless it was re-authorized.  On Dec. 7, 2012, President Obama re-authorized the act until 2020.  So does this mean that the web is now safe all the time for everyone?  No, but it allows the Federal Trade Commission certain powers that enable them to find and prosecute scammers, even if they are not domestic criminals.

The main thrust of the act is to allow the FTC to go beyond the US borders when investigating online criminal activity, especially as related to consumer protection. the act empowers the FTC to share information about scams and the criminals behind them with foreign law enforcement agencies.  Previously, the FTC had been restricted to sharing only with other US agencies.  Additionally, the FTC is empowered to aid foreign agencies in the investigation of online scams.  Further, the FTC will have the right to get information from foreign agencies.  The law provides “enhanced investigative and litigating tools” to the FTC to allow them to pursue investigation and actions more effectively.

This is not a complete summary of the law, but it does allow consumers to know that the FTC takes online scams and fraud very seriously and has been empowered, through 2020, to pursue these criminals even if they are not within the boundaries of the United States.  As Mary Bono Mack (R-CA), the bills lead sponsor says, “This is a win-win. It’s good for American consumers. It’s good for the future of e-commerce. And it’s the right thing to do for our nation and our friends around the world.”

In discussions with small merchants about the Payment Card Industry Data Security Standard (PCI DSS), it is clear that there is still some confusion surrounding exactly what payment acceptance channels must be in compliance with the standards.  It is not uncommon to hear merchants suggest that PCI DSS only applies to online payments.  That can be a very unfortunate misconception.  All payment acceptance channels must be compliant with the PCI DSS.  Depending on how many transactions you process annually, you may not be required to validate compliance, but being in compliance is always required – for every payment channel and every merchant.

As a small merchant, think about all of the different ways that you might take payments.  You might have a customer that calls you and asks to place an order over the phone.  How do you process that transaction? Do you save the card number in a spreadsheet (please don’t save the number in a spreadsheet)?  Or do you enter the number in a virtual terminal so that you can securely process the payment and save the information for later use?  Do you have a website through which you accept orders?  Do you accept payments in a face-to-face context using a mobile payment device?  Each of the ways that you accept payment must be compliant.

It’s rare to find a merchant that doesn’t require multi-channel support from their merchant service provider.  It’s important to find a service provider that meets all of the needs of your business model.  More importantly, merchants should seek out service providers that can support and maintain compliance for each of those channels.  Merchants should ask probing question about how the transaction is secured, how the data is stored, and how long the company has been providing compliant services.  More importantly, merchants should have a full understanding of where the liability lies in that there is a data compromise.  If you’re storing numbers in a spreadsheet and your laptop gets stolen, that is considered a compromise under PCI DSS and the fines, fees and penalties can flow to you, the merchant.  ( You can read about Visa’s penalties here)  If you’re using a registered, compliant service provider to support your business, and you’re not storing the data yourself, the service provider has the liability for any compromise of that data.

It’s very important to understand the chain of liability when selecting a service provider, and even when selecting specific services from that provider.  For more information about how PCI DSS impacts small merchants, you can check out the Payment Card Industry Security Standards Council (PCI SSC) resources for small businesses.

When it comes to PCI DSS there is no secret that there is a lot of confusion.  Surprisingly, one of the most confusing aspects seems to be who is responsible for enforcement of the standard.  Is it the acquiring bank, the PCI SSC, or the card brands?  Do state level governments get involved?  What about federal?  It’s not uncommon to hear merchants ask the question “why are you making me do this?”  Here, hopefully, is an explanation that can help clear up some of the confusion.

The Payment Card Industry Data Security Standard, commonly referred to as PCI DSS, is managed by the Payment Card Industry Security Standards Council (PCI SSC or simply “the council”).  The Council is responsible for working to create and manage the standards, ensure that they are disseminated appropriately and for training and accrediting Qualified Security Asessors, or QSAs.  The Council does not conduct assessments, nor do they enforce the standards.  While they play a critical role in the industry, they do not determine the consequences of non-compliance.

Acquiring banks or merchant banks are often cast in the role of the enforcer, but this is an oversimplification of the complex nature of the industry.  The acquirers, just as merchants, are bound to adhere to all card brand operating regulations.  Part of those rules require the banks to ensure that their merchants are also in compliance with the card brand rules, including the PCI DSS and related standards.  Fines for non-compliance are passed through acquirers to the merchants.  In other words, the card brands impose fines on the acquirer for non-compliant merchants.  The acquirer then passes that fine on to the merchant.

Ultimately, though, it is the card brands that are responsible for the enforcement of the PCI DSS.  Each of the major card brands has their own security programs with different process for dealing with non-compliant entities and with entities that have suffered a breach.  Here are the links to each of the programs

It is important to note, though, that some states have passed laws mandating PCI DSS compliance.  As of January 2010, all companies that collect or transmit payment card data in Nevada have been required to comply with the PCI DSS.  Penalties for non-compliance include civil action, paying restitution and even injunction.  In 2010, the state of  Washington  also passed a law requiring PCI DSS compliance.  Minnesota has codified portions of the PCI DSS in its Plastic Card Security Act.  As of yet, the federal government has not passed a law along these lines, but various regulations and the charter of the FTC mean that, in the event of a breach, the federal government may be involved as well.

The best defense against these regulatory headaches is simply this – to the extent possible don’t store the data.  For those that need to facilitate payments, there are solutions that would allow you to do so while minimizing the amount of data that is stored, processed, or transmitted.  Merchants are well-served to investigate these solutions in order to minimize their liability, and in some cases even to reduce their costs.

Those that are familiar with this blog may have heard it said more than once that the United States lags far behind Europe with respect to the protection of consumer information.  The European Union, in fact, has been operating under the penumbra of the European Directive on Data Protection for 15 years.  The EU actually recognizes the protection of personal data as a fundamental human right.   That is a far cry from the legislative activities surrounding data privacy in the United States.  The US has traditionally take piecemeal approach to data protection, often leaving the regulation of data privacy and security to the states, and in some cases to individual industries.  Given the political culture of the United States, such an approach is not terribly surprising.  However, the rapid advancement of technologies has perhaps been enough to spur the federal legislature into evaluating the lessons of the EU directive to see if, or how, similar regulation might work in the US.

On Friday, Sept 16th, the House Energy & Commerce Committee’s Commerce Subcommittee will be holding hearings on the issue of privacy, and specifically the impact of the EU regulations.  In Rep. Bono-Mack’s published opening comments, she states “The purpose of the Directive is to harmonize differing national legislation on data privacy  protections within the European Union, while preventing the flow of personal information to  countries that – in the opinion of EU regulators – lack sufficient privacy protections.”  She goes on to discuss the large number of unintended consequences of the regulatory regime.  To be fair, unintended consequences are almost always found the in wake of new legislation, particularly such sweeping legislation as the EU Directive on Data Protection.  It should be noted, though, that with 15 years of implementation history and lessons, the US should be able to draw sufficient parallels without also reaping the same number of “unintended consequences.”

In looking at the purpose of the directive one can immediately see the attraction of such a regime in the US.  As stated by Rep. Bono-Mack, the purpose is to “harmonize differing … legislation on data privacy…”  In looking at the domestic regulatory landscape surrounding data privacy and protection, it is difficult to conclude that some “harmonizing” would not benefit both businesses and consumers.  As of this writing, more than 45 states have data breach notification laws.  While there are some major commonalitites to these laws, there are also significant variations.  There are differing definitions of “personally identifiable information,” “breach,”  “trigger,” and other critical terms.  Some states include data security protections in those laws, while others have separate laws for data security, and still others have no laws regarding data protection and security.  The situation becomes even more confusing when one considers the federal legislation impacting privacy and security (FERPA, HIPAA/HITEC, GLBA, SOX, etc) and industry self-regulating programs.

While there are some concerns that tomorrow’s hearing is too slanted towards industry, ignoring or downplaying the concerns of consumers, I believe that it is a positive step. Bill McGevern, professor of law at University of Minnesota does bring up an interesting point, though.  That is the different conceptions of data privacy between the US and Europe.  According to McGevern, Europeans think of privacy as a fundamental human right, while Americans (and particularly American businesses) conceive of privacy as a market force with which they have to deal.  That being said,  this author does believe that it is possible to create a European-style privacy directive that accounts for American sensibilities.

Dr. Heather Mark, PhD; SVP of Market Strategy

When organizations consider the protection of data, it is often the data at the core of the enterprise that is being considered – the data that is resident in the corporate systems and subject to the protections of corporate network and the corporate information security policy.  Increasingly, companies are depending on mobile devices (eg: Smartphones, tablets, etc) to carry out their business.  Yet, just as these devices are on the periphery of the network, they are often on the periphery of the information security program, as well.

It can be particularly difficult to  conceive of Smartphones as an extension of the enterprise, but they certainly can be.  In fact, Massachusetts’ Data Security Law requires “encryption of all personal information stored on laptops or other portable devices.”  Other states are following suit and with good reason.  As business becomes more mobile, so does data.  As data breaches have extended to the mobile device, so to must the information security program.

Malware has infamously been found in at least one major application market place, and one must assume that data thieves and hacker are even now conceiving of new ways to compromise these device.  In fact, a story in CNet news today highlights a vulnerability in Mac laptop batteries.  This newly identified vulnerability highlights the importance of ongoing risk assessments and adjustments to security policies as technologies and their associated vulnerabilities evolve.

It is important to be aware of the risks posed by mobile devices.  While steps can be taken to mitigate these risks, they can only be applied if the organization is aware of the risks.  It is suggested that businesses inventory the devices on their network, or associated with their company, and their interaction with potentially “toxic” data.  The resulting assessment should be used to help create an information security policy that is appropriate for the size and complexity of the organization, and the sensitivity of the data involved.

Dr. Heather Mark, PhD, SVP Market Strategy