National Academies Press: OpenBook

Legal Issues Concerning Transit Agency Use of Electronic Customer Data (2017)

Chapter: V. TRANSIT AGENCY COMPLIANCE WITH THE PAYMENT CARD INDUSTRY DATA-SECURITY STANDARDS

« Previous: IV. TRANSIT AGENCIES' CONTROL OF ACCESS TO AND SECURITY OF CUSTOMERS' PERSONAL DATA
Page 12
Suggested Citation:"V. TRANSIT AGENCY COMPLIANCE WITH THE PAYMENT CARD INDUSTRY DATA-SECURITY STANDARDS." National Academies of Sciences, Engineering, and Medicine. 2017. Legal Issues Concerning Transit Agency Use of Electronic Customer Data. Washington, DC: The National Academies Press. doi: 10.17226/24730.
×
Page 12
Page 13
Suggested Citation:"V. TRANSIT AGENCY COMPLIANCE WITH THE PAYMENT CARD INDUSTRY DATA-SECURITY STANDARDS." National Academies of Sciences, Engineering, and Medicine. 2017. Legal Issues Concerning Transit Agency Use of Electronic Customer Data. Washington, DC: The National Academies Press. doi: 10.17226/24730.
×
Page 13
Page 14
Suggested Citation:"V. TRANSIT AGENCY COMPLIANCE WITH THE PAYMENT CARD INDUSTRY DATA-SECURITY STANDARDS." National Academies of Sciences, Engineering, and Medicine. 2017. Legal Issues Concerning Transit Agency Use of Electronic Customer Data. Washington, DC: The National Academies Press. doi: 10.17226/24730.
×
Page 14
Page 15
Suggested Citation:"V. TRANSIT AGENCY COMPLIANCE WITH THE PAYMENT CARD INDUSTRY DATA-SECURITY STANDARDS." National Academies of Sciences, Engineering, and Medicine. 2017. Legal Issues Concerning Transit Agency Use of Electronic Customer Data. Washington, DC: The National Academies Press. doi: 10.17226/24730.
×
Page 15

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

12 C. State Laws and Transit Agency Policies on Retention of Personal Data Transit agencies are subject to state laws and/or have their own policies regarding the retention of customers’ data. It appears that most states have laws and regulations that govern the length of time that state and local government agencies may retain PII and other personal information. New York law requires some records to be kept until no longer needed, whereas other records must be kept indefi- nitely.105 The Florida retention schedule provides that payment card data as defined by the PCI DSS must be destroyed immediately upon completion of a trans- action.106 Access records must be retained in Virginia for “three years or until such time as the personal information is purged, whichever is shorter.”107 In Chicago, CTA’s privacy policy states that PII associated with a Ventra card account will be stored no longer than 7 years after an account has been closed or terminated.108 MBTA’s privacy policy provides that records containing PII will not be retained for longer than 14 months, but that aggre- gate information may be retained indefinitely.109 MTC’s privacy policy for Clipper states that “[a]ll account information will be deleted no later than four years and six months after the account is closed or terminated.”110 Thus, there is a wide disparity among state laws or privacy policies that apply to the retention of customers’ electronic personal data. V. TRANSIT AGENCY COMPLIANCE WITH THE PAYMENT CARD INDUSTRY DATA- SECURITY STANDARDS A. The Payment Card Industry Data- Security Standards Twenty-five agencies that responded to the survey reported that they (or their contractor or agent) have taken steps to comply with the PCI DSS. The reason is that all organizations that accept, process, transmit, or store customers’ credit and debit card data must comply with the PCI DSS, which are administered by the private Payment Card Industry Security Standards Council (PCI SCC) to assure that all companies have a safe envi- ronment for the protection of customers’ data. An American Bar Association (ABA) publication opines that the PCI DSS is perhaps the most important industry data security stan- dard in the United States.… Adopted by a consortium of the major credit card companies operating in the United States, this is a “set of comprehensive requirements for enhancing payment account data security”…[T]he set of standards requires all merchants (i.e., anyone accepting credit card payments) to implement the PCI DSS.111 The PCI SSC, launched in September 2006, is an independent body created by the major payment card brands, such as American Express, Discover, Mastercard, and Visa. The major payment card companies administer and manage the PCI DSS to improve “payment account security throughout the transaction process.”112 The PCI DSS is designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.113 PCI DSS “provides an actionable framework for developing a robust payment card data security process—including prevention, detec- tion and appropriate reaction to security inci- dents.”114 Thus, all organizations that store, process, or transmit payment cardholder data must comply with PCI DSS.115 The ABA publication notes that several states and agencies have amended their data-breach noti- fication laws to include liability for failure to adopt PCI DSS safeguards.116 Indeed, the payment card companies have the discretion to fine an acquiring 105 New York State Archives, Records Retention and Disposition Schedule MI-1, http://www.archives.nysed. gov/records/retention_mi-1 (last accessed Sept. 24, 2016). 106 Florida Department of State, Division of Library and Information Services, General Records Schedule GS1SL for State and Local Government Agencies, at 36, http://dos.myflorida.com/library-archives/records- management/general-records-schedules/ (last accessed Sept. 24, 2016). 107 va. coDe ann. § 2.2-3803 (2016). 108 CTA Privacy Policy, supra note 52. 109 MBTA Privacy Policy, supra note 74. 110 MTC Clipper Program Privacy Policy, supra note 53, at 3. 111 Jonathan T. Rubens, American Bar Association, So Many Privacy Rules! The Developing Standard of Care for Data Security and Identity Theft Protection, hereinafter referred to as “Rubens,” http://www.americanbar.org/ publications/blt/2009/07/08_rubens.html (last accessed Sept. 24, 2016). 112 PCI ComplianceGuide.org, at PCI FAQs, hereinafter referred to as “ComplianceGuide,” hereinafter referred to as “ComplianceGuide,” https://www.pcicomplianceguide. org/ (last accessed Sept. 24, 2016). 113 Id. 114 PCI Security Standards Counsel, PCI SSC Data Security Standards, Overview, https://www.pcisecurity standards.org/pci_security/ (last accessed Sept. 24, 2016). 115 Payment Card Industry Data Security Standard, hereinafter referred to as “PCI DSS,” http://search financialsecurity.techtarget.com/definition/PCI-DSS- Payment-Card-Industry-Data-Security-Standard (last accessed Sept. 24, 2016). According to the FAQs, “[i]n-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC—American Express, Discover, JCB, MasterCard, and Visa International.” See Compli- anceGuide, supra note 112. 116 Rubens, supra note 111.

13 bank $5,000 to $100,000 per month for violations.117 The banks in turn may transfer the fine “down- stream” for a merchant to pay; however, a bank may also terminate a merchant’s relationship or increase its transaction fees.118 There are 12 standards and other requirements with which a merchant must comply when it accepts credit or debit card payments.119 PCI DSS requires particular methods of encryption, prescribes network security technologies and configurations, and demands or forbids certain practices.120 The purposes of the 12 standards are to build and main- tain a secure network, protect cardholder data, ensure the maintenance of “vulnerability manage- ment programs,” implement strong access control measures, monitor and test networks regularly, and ensure the maintenance of information security policies.121 PCI DSS, which prohibits the storing of sensitive authentication data, requires that “anyone handling credit card data must never store—even if encrypted—a card’s full track data, card verification code, or PIN verification code after [an] authoriza- tion has cleared.”122 B. Liability of Transit Agencies for Failure to Comply with the PCI DSS 1. Federal Agencies’ Compliance It may be noted that the federal government requires federal agencies to comply with the PCI DSS. The U.S. Department of the Treasury has informed all federal agencies that accept credit and debit cards that they “are required to maintain full compliance with the [PCI DSS]. This is in addition to the Office of Management and Budget (OMB) Person- ally Identifiable Information (PII) guidelines related to accidental or purposeful disclosure of cardholder information.”123 The Treasury Department has also informed federal agencies that their “[f]ailure to maintain compliance with the PCI DSS puts your organization at risk of significant fines, fees, penal- ties or losing the ability to process card payments….”124 2. State Laws Requiring Compliance with the PCI DSS or Other Standards In several states, any entities, including state agencies, that accept debit or credit cards or an elec- tronic payment linked to a debit or credit card (thus in either case becoming a data “collector” or “proces- sor”) are required to comply with the PCI DSS.125 Moreover, if a transit agency were to fail “to take commercially reasonable steps to safeguard [transit customers’] sensitive PII while in electronic storage and [continued] to process payments despite not being PCI DSS compliant,” the failure could serve as the basis of a claim against a transit agency for breach of contract or negligence.126 Agreements between transit agencies and banks or other parties for the transmission of payment data also require compliance with the PCI DSS. For example, TriMet is responsible for annual PCI DSS certification.127 If a transit agency uses a third party to process transactions and payments, however, 117 ComplianceGuide, supra note 112, at PCI FAQs. 118 Id. 119 The 12 standards require that a merchant: • Install and maintain a firewall configuration to protect cardholder data; • Not use vendor supplied defaults for system passwords and other security parameters; • Protect stored cardholder data; • Encrypt transmission of cardholder data across open, public networks; • Use and regularly update antivirus software; • Develop and maintain secure systems and applications; • Restrict access to cardholder data by business need-to-know; • Assign a unique ID to each person with computer access; • Restrict physical access to cardholder data; • Track and monitor all access to network resources and cardholder data; • Regularly test security systems and processes; and • Maintain a policy that addresses information security. TD Bank Group, Payment Card Industry Data Security Standard (PCI DSS), http://www.tdcanadatrust.com/ products-services/small-business/merchant-services/ pci-data-security-standard/pci-security.jsp#principles. See also Symantec, Payment Card Industry Data Security Standard, Symantec™ Managed Security Services Support for IT Compliance, http://eval.symantec.com/mktginfo/ enterprise/fact_sheets/ent-factsheet_security_compliance_ services_03-2004.en-us.pdf (last accessed Sept. 24, 2016). 120 PCI DSS, supra note 115. 121 Id. 122 James T. Graves, Minnesota’s PCI Law: A Small Step on the Path to a Statutory Duty of Data Security Due Care, 34 wM. Mitchell l. rev., 1115, 1130–1131 (2008) (foot- notes omitted), hereinafter referred to as “Graves.” 123 u.s. DeP’t of the treasury, treasury financial Man- ual, at ch. 7000, Credit and Debit Card Collection Transac- tions (T/L 675), http://tfm.fiscal.treasury.gov/v1/p5/c700. html (last accessed Sept. 24, 2016). 124 Id. 125 See, e.g., Minn. stat. § 325E.64(2) (2016); nev. rev. stat. ann. § 603A.215(1); teX. transP. coDe ann. § 521.126(e)(2)(A) (2016); and wash. rev. coDe § 19.255.020(2) (2016). 126 See Willingham v. Global Payments, Inc., 2013 U.S. Dist. LEXIS 27764, at *31 (N.D. Ga. 2013). 127 Intergovernmental Agreement between the City of Portland and TriMet related to an Electronic Fare Collection System, at (4)(a)(iii), http://efiles.portlandoregon.gov/Record/ 8512560/File/Document/ (last accessed Sept. 24, 2016), and TriMet, Fare System Migration: A White Paper on Electronic Fare Collection, http://portlandtransport.com/documents/ Fare%20System%20Migration%20white%20paper_V10%20 FNL_11%2017%202011.pdf (last accessed Sept. 24, 2016).

14 arguably there may not be a basis for a claim by a customer against the transit agency because the transit agency’s contract is not with a member of the public but with a company that has agreed to receive and process transactions.128 Some state statutes refer to or incorporate the PCI DSS and/or apply PCI DSS to any electronic customer data collected by an agency that comes within the statutory definition of a data collector or processor.129 A provision of the Texas Transportation Code that is not a data-breach notification law refer- ences the PCI DSS and provides that financial insti- tutions are not criminally liable for accessing electronically readable information from driver’s licenses as long as the institutions have accessed the information in a manner that is consistent with PCI DSS Standard 3.4.130 A Washington statute that is a data-breach notifi- cation law requires compliance with the PCI DSS. The law releases processors, businesses, and vendors from liability as long as they were certified compli- ant with the PCI DSS by PCI SSC at the time of a data breach.131 In Washington, a data “processor” is an individual, partnership, corporation, association, organi- zation, government entity, or any other legal or commercial entity…that directly processes or transmits account infor- mation for or on behalf of another person as part of a payment processing service.132 A processor is not liable “if (a) the account infor- mation was encrypted at the time of the breach, or (b) the processor…was certified compliant with the payment card industry data security standards adopted by the payment card industry security stan- dards council….”133 A processor is considered to be compliant “if its payment card industry data secu- rity compliance was validated by an annual security assessment, and if this assessment took place no more than one year prior to the time of the breach.”134 Although the key is compliance, a March 2015 report notes that entities that accept contactless cards or devices linked to a credit or debit card find it challenging to remain compliant with the PCI standards.135 Although companies must have strict controls for their systems and processes, “even a slight change to those systems can render controls obsolete. …[A]n employee may deploy an applica- tion that takes payment cards…that falls outside the scope of a particular PCI control.”136 Another issue is whether a government agency’s noncompliance with the PCI DSS is an unfair trade practice under state law. Assuming that noncompli- ance is an unfair trade practice, it appears that in California137 and Connecticut138 a government- owned public transit agency likely would not be liable for an alleged violation of state law on unfair trade practices. Government agencies in Delaware, the District of Columbia, Hawaii, and Kansas, however, may commit a violation of their jurisdic- tion’s unfair trade practices.139 128 Willingham, 2013 U.S. Dist. LEXIS 27764, at *39. 129 201 Mass. coDe reg. 17.00, et seq. (2016); Minn. stat. § 325E.64(2) (2016); coDe of Miss. rules 12-004- 002(2.2)(M), (2.10), (2.11) (2016); nev. rev. stat. ann. § 603A.215(1); teX. transP. coDe ann. § 521.126(e)(2)(A) (2016); wash. rev. coDe § 19.255.020(2) (2016). 130 teX. transP. coDe ann. §§ 521.126(b) and (e)(2)(A) (2016). 131 wash. rev. coDe § 19.255.020(2) (2016). 132 wash. rev. coDe § 19.255.020(1)(h) (2016) (empha- sis supplied). 133 wash. rev. coDe § 19.255.020(2) (2016). 134 Id. 135 Most Companies Fail Compliance Tests for Payment Data Security, CIO Journal (Mar. 12, 2015), http://blogs. wsj.com/cio/2015/03/12/most-companies-fail-compliance- tests-for-payment-data-security-report/ (last accessed Sept. 24, 2016). 136 Id. 137 cal. bus. & Prof. coDe § 17201, et seq. (2016) (Cali- fornia Business and Professions Code) and Amalgamated Transit Union, Local 1756, AFL-CIO v. First Transit, Inc., 2004 U.S. Dist. Lexis 25233, at *1 (C.D. Cal. 2004) (holding that a transit agency cannot be sued under California’s Unfair Business Practice Act because it is a public entity, not a person). See also Cal. Med. Ass’n v. Regents of the Univ. of Cal., 79 Cal. App. 542, 94 Cal. Rptr. 2d 194 (Cal. App. 2000); Wells v. One2One Learning Foundation, 116 Cal. App. 4th 515, 10 Cal. Rptr. 3d 456 (Cal. App. 2004), aff’d in part, rev’d in part on other grounds, 39 Cal. 4th 1164, 48 Cal. Rptr. 3d 108, 141 P.3d 225 (Cal. 2006) (hold- ing a charter school was a public entity and thus could not be liable under California’s Unfair Business Practice Act); People for Ethical Treatment of Animals, Inc. v. Cal. Milk Producers Advisory Bd., 125 Cal. App. 4th 871, 22 Cal. Rptr. 3d 900 (2015), review denied, 2005 Cal. LEXIS 4347, at *1 (Cal., Apr. 20, 2005) (holding that the California Milk Producers Advisory Board is a public entity, not a person, and therefore not liable under California’s Unfair Busi- ness Practices Act). 138 Charter Communications Entertainment I, LLC v. Univ. of Conn., 2000 Conn. Super. LEXIS 770, at *1 (Conn. Super. Ct. 2000) (holding that a state university and its board of trustees were not liable under the Connecticut Unfair Trade Practices Act because a state is not consid- ered to be a person under the Act). 139 D.C. coDe § 28-3901(a)(1) (2016) (providing that a “person” means an “individual, firm, corporation, partner- ship, cooperative, association, or any other organization, legal entity, or group of individuals however organized”); Del. coDe ann. 6 § 2511(7) (2016) (applying Delaware Con- sumer Fraud act to the government); Del. coDe ann. 6 § 2531 (2016) (applying Delaware Deceptive Trade Prac- tices Act to the government); ga. coDe ann. § 10-1-393.3 (2016); haw. rev. stat. § 481A-2 (2016) (applying the Hawaii Deceptive Trade Practice Act to government agen- cies); and kan. stat. ann. § 50-624(i) (2016) (applying the Kansas Consumer Protection Act to government agencies).

15 There are statutes that protect cardholder data but do not refer to the PCI DSS.140 A Florida statute states that PII “held by a public transit provider for the purpose of facilitating the prepayment of transit fares or the acquisition of a prepaid transit fare card or similar device is exempt from” Florida Statutes Annotated Section 119.07(1) (applicable to the inspection and copying of public records) and Florida Constitution, Article 1, Section 24(a) (regard- ing access to public records and meetings).141 Georgia statutes describe prohibited uses by merchants of credit card information142 and protect records from disclosures that contain the financial data of users of the Metropolitan Atlanta Rapid Transit Authority or other transit systems using the same transit cards.143 A Massachusetts regulation does not require compliance with the PCI DSS but imposes a duty to protect personal information; however, the law does not require that an individual be notified if the person’s data are accessed or released without authorization.144 A Minnesota statute is a data-breach security notification law but does not refer to the PCI DSS. The law protects a cardholder’s data, however, because it prohibits the retention of certain informa- tion that is associated with debit and credit cards for more than 48 hours after a transaction.145 In Nevada, a data-breach notification law requires a data collec- tor that is doing business in the state and accepts a payment card in connection with a sale of goods or services to comply with the current version of the PCI DSS.146 A “data collector” is “any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or other- wise, handles, collects, disseminates or otherwise deals with nonpublic personal information.”147 Finally, no cases were located for the digest that involved a merchant’s liability (or penalty) for fail- ing to comply with the PCI DSS. One article, however, states that “fines are relatively rare and reserved for more severe cases. More frequently, if it is a merchant’s first case of noncompliance, the merchant would receive a warning and a notice to address the problem.”148 C. Effect of Change from Magnetic Strips to Embedded Chips On October 1, 2015, certain payment networks in the United States shifted liability for fraud to merchants that fail to use EMV chip-enabled devices to process payments.149 The shift in liability applies to the following networks: Accel, American Express, China UnionPay, Discover, Mastercard, NYCE Payments, SHAZAM Network, STAR Network, and Visa.150 Liability would not shift to merchants for contactless transactions or fallback transactions, the latter being “a transaction that is initiated between a chip card and a chip terminal but chip technology is not used and the transaction is completed via magnetic stripe.”151 A card-issuer will remain liable when payment is made with a card that only has a magnetic stripe or when payment is made with a “counterfeit magnetic stripe card with track data copied from a chip card” at a merchant that has a chip-enabled terminal.152 When there are transactions made with a lost or stolen card, the issuer is liable when (1) the card only has a magnetic stripe; (2) it is a chip card that prefers signature verification and the merchant’s terminal is not enabled for chip payment; (3) it is a chip card that prefers personal identification number (PIN) verification, and the merchant’s terminal is enabled for chip payment but requires signature verification; (4) it is a chip card that prefers signature verifica- tion, and the merchant’s terminal is enabled for chip payment that requires PIN verification; or (5) it is a chip card that prefers PIN verification and the merchant’s terminal is enabled for chip payment and requires PIN verification.153 For transactions made with a lost or stolen card, a merchant is liable when the card is a chip card that prefers PIN verification and the 140 kan. stat. ann. §§ 50-669-669b (2016); fla. stat. ann. § 341.3026 (2016); and ga. coDe. ann. §§ 10-1-393.3 and 50-18-72(a)(30) (2016). 141 fla. stat. ann. § 341.0521 (2016). 142 ga. coDe ann. § 10-1-393.3 (2016). 143 ga. coDe ann. § 50-18-72(a)(30) (2016). 144 201 Mass. coDe regs. 17.00, et seq. (2016). 145 Minn. stat. § 325E.64(2) (2016). 146 nev. rev. stat. ann. § 603A.215(1) (2016). 147 nev. rev. stat. § 603A.030 (2016) (emphasis supplied). 148 Tom Rizzo, Scorpion Software, Insights in IT Security, What is PCI DSS and Why Does it Matter? (Jan. 16, 2014), http://insights.scorpionsoft.com/what-is-pci-dss-and-why- does-it-matter (last accessed Sept. 24, 2016). 149 EVM Migration Forum and Smart Card Alliance, Understanding the 2015 U.S. Fraud Liability Shifts, EMV connection 1 (May 2015), hereinafter referred to as “EMV Connection,” http://www.emv-connection.com/downloads/ 2015/05/EMF-Liability-Shift-Document-FINAL5-052715. pdf (last accessed Sept. 24, 2016). 150 Id. at 2. 151 Id. at 1, n.2. 152 Id. at 2. 153 Id. at 3.

Next: VI. CLAIMS IN CONTRACT OR TORT AGAINST TRANSIT AGENCIES FOR PRIVACY VIOLATIONS »
Legal Issues Concerning Transit Agency Use of Electronic Customer Data Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

TRB's Transit Cooperative Research Program (TCRP) Legal Research Digest (LRD) 48: Legal Issues Concerning Transit Agency Use of Electronic Customer Data explores the advantages, disadvantages, risks, and benefits for transit agencies moving to electronic, cloudbased, and other computerized systems for fare purchases and for communicating with customers. “Smart” fare cards are now commonplace, and private businesses and transit agencies are using or planning to use smartphones, smart cards and credit cards, and other systems to obtain payment, location, and other personal data from customers.

This digest updates TCRP LRD 14: Privacy Issues in Public Transportation (2000) and TCRP LRD 25: Privacy Issues with the Use of Smart Cards (2008) and covers additional dimensions of collection and use of personal information using new technologies developed since those studies. Appendix A-D are available online only.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!