Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
PCI DSS and card brands: Standards, compliance and enforcement
Cyber Security: A Peer-Reviewed Journal,
2
(1),
73-82
(2018)
Abstract
The payment card brands have a private regulatory system, the PCI DSS, that affects every entity worldwide that accepts, processes, stores or transmits credit card information. Participation is mandatory for companies to function in the modern economy, and the consequences of non-compliance can be harsh. A further complication is that the PCI DSS uses its own terminology, which can be confusing to a beginner. But there are also benefits to understanding PCI compliance, including to avoid the potentially harsh consequences, and the fact that PCI compliant entities have a stronger defensive posture against cyberattacks. Because of this, all organisations should know about and understand the PCI DSS, including how to implement and maintain compliance. This paper outlines the history and reason behind the PCI DSS and the broad requirements entities must follow to be compliant; provides an overview of the basic terminology and requirements, information on additional programmes that affect an entity’s PCI DSS compliance, a high-level view of compliance and information on its enforcement by the card brands, state legislation and the legal system; and offers some views from both critics and supporters of the current enforcement system.
Keywords: PCI; PCI compliance; payment cards; PCI enforcement; cyber security
The full article is available to subscribers to the journal.
Author's Biography
Donna Wilson is a partner at Manatt, Phelps & Phillips, LLP and is nationally recognised for her high-profile, bet-thecompany work on behalf of companies facing litigation and government enforcement actions, with a focus on both the consumer financial services and privacy and data security spaces. She is the chair of Manatt’s privacy and data security practice and co-chair of its financial services group and financial services litigation and enforcement practice, and is also recognised by professional publications for leadership. Most recently, she was selected as one of twenty Top Cyber/Artificial Intelligence Lawyers and one of 100 Top Women Lawyers in California by the Daily Journal, and one of the Most Influential Women Lawyers in Los Angeles by the Los Angeles Business Journal. She is a frequent author, speaks on cutting-edge legal matters and is regularly quoted by various media, including the Wall Street Journal, USA Today and the Daily Journal.
Ethan Roman is a litigation and cyber security attorney in the New York office of Manatt, Phelps & Phillips, LLP, where he advises companies on a broad spectrum of issues, including data breach responses, security incident investigation, containment and mitigation and best practices and policies. He is a Certified Information Privacy Professional for the US Private Sector (CIPP/US) and an active member of the International Association of Privacy Professionals, where he serves as a Young Privacy Professional Leader for New York City.
Ingrid Beierly is a Senior Advisor, Cyber and Global Payment Security at Manatt, Phelps & Phillips, LLP. A senior security risk business leader with a record of achievement in payment data security, she has led successful efforts to mitigate global payment risk and cyber security data compromises for impacted entities. Ingrid previously served as a global forensic and cyber intelligence business leader with a major credit card company for over a decade. As both analyst and advisor, she spearheaded global computer forensic investigations impacting credit card members, merchants and service providers, providing insight on fraud investigations, data security compromises and compliance preparation. Ingrid was instrumental in developing data security programmes, such as the Cardholder Information Security Program (now known as Payment Card Industry Data Security Standards), Payment Application Data Security Standards, Payment Forensic Investigator and Qualified Integrator and Reseller Program. These programmes impact entities all over the world. Before joining Manatt, Ingrid served as an independent payment security consultant in the San Francisco Bay area, focusing on payment data security, incident response and credit/debit/prepaid card fraud mitigation strategies for a high-profile clientele.
