Nevada's Security of Personal Information Law Post Four: Encryption and PCI Compliance Requirements
The following FAQs address the encryption and PCI compliance requirements of Nevada's Security of Personal Information Law, which were added pursuant to a recent amendment to the law. The rest of the FAQ is linked to here.
Continue Reading...FAQ on Nevada's Security of Personal Information Law (NRS 603A)
InfoSecCompliance ("ISC") was recently asked by a prospective client to provide a summary of Nevada's Security of Personal Information law (NRS 603A) and a recent amendment to the Security Law that incorporated the Payment Card Industry Data Security Standard ("PCI"). ISC decided to try something new and create a Frequently Asked Questions document around the PCI requirements contained in the Security Law. For better or worse (after sinking in 15 - 20 hours) ISC ended up doing FAQs for the entireNevada Security Law. This turned out to be a much bigger work than originally anticipated, so ISC is going to do a five-part blog post series breaking down the Nevada Security Law into (hopefully) digestible parts.
Continue Reading...
Nevada Law Incorporates PCI and Provides a Liability Safe Harbor
Nevada appears to be the second State to incorporate the Payment Card Industry Data Security Standard (PCI) into its personal information security law. Minnesota is the other State that incorporated part of PCI into its law.
Continue Reading...Is Something Wrong With PCI?
A question being asked in various circles in the wake of the Heartland breach. An interesting post by Michael Dahn over at the Aegenis Group. I started to respond and kept going and going and going. Read his post first and my (somewhat rambling/unpolished ) response is below. Continue Reading...
PCI: "Follow the Standards to the Letter"
An interesting quote from Bob Russo on how the PCI standard should be followed:
Bob Russo, the general manager for the PCI Security Standards, a group that devises data security measures for the five major credit card companies, said almost all data breaches are the fault of the merchant."Everybody that has been breached has been noncompliant with the standard," he said, noting that the circumstances of the Hannaford breach are still too murky for him to render a judgment about. "If you follow the standards to the letter, it puts enough of a hard shell around the data that it is hard to get to."
Full story here.
My question, what about all those emails from the PCI Council, the card brands, acquiring banks and payment processors that purport to resolve ambiguities and which may not be "to the letter" of the PCI Standard? And that question reveals the potential problem from a legal standpoint.
Are the PCI Council's FAQs Incorporated and Part of the PCI Standard?
This is the basic question I posed to Bob Russo, General Manager of the PCI Council, during an online PCI forum put on by SC Magazine:
Are the FAQs incorporated into and automatically made part of the PCI Standard when published? If so, is there a document or some sort of proclamation indicating that the FAQs are part of the PCI Standard?
Mr. Russo orally indicated "yes," the FAQs are intended to become part of the PCI Standard when they are published. Mr. Russo, however, was not aware of any document or proclamation that indicated that the FAQs were incorporated/made part of the PCI Standard. He indicated that he was making a note on that point to see about creating such a document.
What does this potentially mean in terms of legal liability issues? Well at least with FAQs, if they are made part of the PCI Standard, merchants and QSAs will have a stronger argument of the authoritative weight of the FAQs if ever challenged on the issues addressed in the FAQ. However, this still does not mitigate potential risk around receiving "informal" advice on ambiguities from the PCI Council, processors or merchant banks. Since this type of informal advice is not officially made part of the PCI Standard, its ability to be relied upon as interpretative authority in court or otherwise is arguably weaker. More on these issues to come.
