Archives: PCI

Subscribe to PCI RSS Feed

Information Security Standards and Certifications in Contracting

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data. … Continue Reading

Information Governance

Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to "information governance" that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations. … Continue Reading

Live from the IAPP Global Privacy Summit in Washington, DC, It’s Monday Afternoon

This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days. … Continue Reading

Privacy’s Trajectory

As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release. … Continue Reading

Issuing Banks File Class Action Suit Against Acquiring Banks in Heartland Breach Matter

In an interesting development, a handful of issuing banks impacted by the Heartland breach have filed a class action lawsuit against two acquiring banks related to Heartland Payment Systems. According to this article, the issuing banks are unhappy with Heartland’s proposed settlement with Visa.  This appears and to be an attempted end-run around the proposed … Continue Reading

Massachusetts’s Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift

While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a … Continue Reading

The Merchants Strike Back?

With the recent news of several restaurants teaming up to sue point-of-sale system provider Radiant Systems (a copy of the complaint can be found here) for failing to comply with the PCI Standard, it appears that some merchants may be in a mood to strike back in the aftermath of a payment card security breach. This … Continue Reading

Mastercard Changes to their PCI Compliance Rules

Under Mastercard’s new rules concerning merchant level definitions, apparently companies that were previously level 4 merchants (and did not have to do a PCI assessment unless requested by their acquiring bank) have been converted to level 3 merchants (which do need to conduct at least a self assessment).   More details here. Mastercard announces fine regime … Continue Reading

Nevada’s Security of Personal Information Law Post Four: Encryption and PCI Compliance Requirements

The following FAQs address the encryption and PCI compliance requirements of Nevada’s Security of Personal Information Law, which were added pursuant to a recent amendment to the law.  The rest of the FAQ is linked to here.… Continue Reading

FAQ on Nevada’s Security of Personal Information Law (NRS 603A)

InfoSecCompliance ("ISC") was recently asked by a prospective client to provide a summary of Nevada’s Security of Personal Information law (NRS 603A) and a recent amendment to the Security Law that incorporated the Payment Card Industry Data Security Standard ("PCI"). ISC decided to try something new and create a Frequently Asked Questions document around the … Continue Reading

TJX Settles with State Attorneys General for $9.75 Million

The TJX breach saga came a little closer to an end (excluding of course the still-pending case being pursued by a couple of issuing banks) with the announcement of a settlement with 41 State attorneys general that brought actions under their State’s respective consumer fraud and deceptive practices laws (a copy of the settlement document … Continue Reading

Merrick Bank v. Savvis Update: Savvis Files Motion to Dismiss

As reported previously, the CardSystems security breach has resulted in a lawsuit brought by a merchant bank (Merrick Bank) against CardSystem’s security assessment company (Savvis).  The suit alleges that Savvis negligently certified CardSystem’s security as compliant with Visa’s Card Information Security Program (“CISP”), and negligently represented that CardSystems was compliant.  Earlier this month Savvis filed … Continue Reading

PCI Service Provider Contracting

(NOTE:  cross-posted at  Branden Williams’ Security Convergence Blog) As an attorney focusing on information security and privacy issues, I often get called in to assist companies to understand their legal liability risk around the PCI (self) regulatory system.  One of the key areas I get involved in is service provider relationships, and in particular section … Continue Reading

Hannaford’s Motion to Dismiss: Victory for Merchants (Part 2)

As detailed in ISC’s first post on the Hannaford case, I detailed the District Court’s rationale for either dismissing or generally recognizing various legal theories around payment card number security breaches.  The net result of the Court’s analysis was the existence of three possible theories of recovery for the consumer plaintiffs:  Breach of implied contract … Continue Reading

Security Assessor Sued in CardSystems Breach: Merrick Bank v. Savvis

I had missed the original filing of this complaint, but have now been able to obtain a copy of it.  Essentially a lawsuit by a bank against Savvis for allegedly making a mistake in certifying CardSystems as CISP compliant.  The complaint alleges $16 milion in damages, which essentially are the amounts that Merrick (acquiring bank) … Continue Reading

The TJX Case: It Lives! With a New Theory of Liability: “Unfairness”

The last two plaintiff-banks still breathing after 1st Circuit Appeal Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via … Continue Reading

Credit Card Theives So Good They Have Too Much Data…

Some interesting statistics from a new report from Verizon Business. The Washington Post security writer sums it up nicely in terms of the payment card data market: [Verizon] said it responded to at least 90 confirmed data breaches last year involving roughly 285 million consumer records, a number that exceeded the combined total number of … Continue Reading

Ruiz v. Gap: Increased Risk of ID Theft Not Damages

In a previous post this blog noted that a California Federal District Court denied a motion to dismiss a data breach negligence claim based on a lack of “damages.”  Despite the partial “victory,” the Court had also suggested that the damages issue might not survive a motion for summary judgment.  Well, the Court made its … Continue Reading