Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42ââ 57 costs of the production of data need to be accounted for in the ⢠Maintain a vulnerability management program determination to collect data. ⢠Implement strong access control measures While some states have provisions allowing for government ⢠Regularly monitor and test networks recovery of fees and costs in connection with the production ⢠Maintain an information security policy of some records, such recovery is not permitted in all cases. Similarly, some states do allow for differential charges when PCI DSS established the following twelve security standards:593 the request is for a commercial purpose, but most do not. The Ârespective policies of states can be found in the NACo and ⢠Install and maintain a firewall configuration; ÂReports Committee resources referenced in this section. ⢠Do not use vendor-supplied default passwords and other With continued focus on openness and transparency in gov- security parameters; ernment, state FOIA provisions should be considered in planning ⢠Protect stored cardholder data; for airport data collection and sharing. Airports engaged in data ⢠Encrypt transmission of cardholder data across open, collection should be particularly mindful of the following factors: public networks; ⢠Use and regularly update antivirus software or programs; ⢠Protection or lack of protections for proprietary data and ⢠Develop and maintain secure systems and applications; trade secrets; ⢠Restrict access to cardholder data by business need-to- ⢠Requirements and restrictions on production of private know; personal information; and ⢠Assign a unique ID to each person with computer access; ⢠The volume of Requests. ⢠Restrict physical access to cardholder data; ⢠Track and monitor all access to network resources and The ability of the airport to protect data may well shape what cardholder data; can be collected or what other stakeholders may be willing to ⢠Regularly test security systems and processes; and share. ⢠Maintain a policy that addresses information security for employees and contractors. XI. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) AND Airport operators may have many roles within the PCI en- vironment. ACRP RRD 11 discusses potential airport operatorsâ AIRPORTS roles and technical responsibilities. Airports may act as mer- Through the Payment Card Industry Security Standards chants by accepting credit or debit cards as a form of payment Council, credit card companies set PCI DSS standards to reduce or as service providers through their networks or applications the likelihood of credit card fraud.590 The standards concern the that store, process, or transmit data and may contract with third security of credit card information and systems that process parties to provide credit card services on their behalf.594 Air- credit card information to include requirements for security portsâ positions in the data collection processes will affect their management, policies, procedures, network architecture, soft- responsibilities to secure data and potential liabilities. ware design, and other protective measures.591 Requirements In determining PCI DSS responsibility, airports first must may differ based on the size of the organization and volume of assess their roles in the process and contractual obligations. Sec- transactions processed per year. Additionally, merchants that ond, airports must consider their âassetsâ to secure data âtouch- suffer a breach may be required to increase their validation level. points.â595 Touchpoints include places where cardholdersâ data is According to ACRP RRD 11: Helping Airports Understand stored, received, sent, or processed.596 Some potential PCI DSS the Payment Card Industry Data Security Standard,592 there are airport touchpoints are: six objectives of PCI DSS: ⢠Common Use Kiosks ⢠Build and Maintain a secure network ⢠Airport Networks ⢠Protect cardholder data ⢠Wi-Fi ⢠Airport Business Operations ⢠Parking Revenue Control Systems 590 âPCI is a collaboration between American Express, Discover, JCB, Mastercard, and Visa. 591 â PCI DSS is not a federal statutory requirement, though some states have legislation referencing PCI DSS. Forty-eight states and D.C. have enacted laws requiring merchants to report security breaches. See Security Breach Notification Laws, Natâl Conf. of State Leg. (July 17, 2020), https://www.ncsl.org/research/telecommunications-and-Âinformation- 593 â Maintaining Payment Security, PCI Sec. Standards Council, technology/security-breach-notification-laws.aspx. https://www.pcisecuritystandards.org/pci_security/maintaining_ payment_security. 592 â Helping Airports Understand the Payment Card Indus- try Data Security Standard (PCI DSS), (Airport Cooperative 594 â Id. at 15-16. Research Program Report 11, Oct. 2020), https://www.nap.edu/ 595 â Id. at 14. read/14436/chapter/1. 596 â Id.
58 ââ ACRP LRD 42 Touchpoints also include electronic and non-electronic data a lleging that the first data breach constituted a material breach storage.597 Third, airports must consider whether they meet the of the partiesâ contract. The partiesâ contract established fees PCI DSS requirements for the specific touchpoints. and charges; rules, policies, and regulations that included adop- tion of credit card companiesâ rules and regulations, including A. Contractual Duties and Liabilities compliance with PCI DSS and the imposition of an assessment Merchants processing credit card data typically have the for noncompliance; and procedures for First Data Merchant burden of securing the data. A chain of contracts exists from Services to collect and store settlement funds. The contract also the credit company through the banks and service providers to obligated Specâs to indemnify First Data Merchant Services for the merchant. Major credit card companiesâ rules require PCI failure to comply with PCI DSS but specified that Specâs was DSS compliance and impose added standards for acquiring not liable for âspecial, incidental, or consequential losses or banks and their merchants and third-party agents.598 damages.â601 The credit company rules define penalties for non On cross-motions for summary judgment, the court granted compliance. These rules may include fines or enhanced transac- Specâs motion and denied First Data Merchant Serviceâs. Al- tion charges typically passed down the contractual chain. Credit though Specâs conceded it was not compliant with nine of 12 PCI companies impose assessments on or fine acquiring banks DSS standards and therefore in breach of the contract, the court when they or their merchants have a breach or fail to comply found that the breach was not material because âboth parties with PCI DSS requirements. Assessments can include losses in- continue[d] to perform under the Agreement⦠support[ing] curred to replace compromised cards or to refund cusÂtomers the conclusion that [d]efendant did not consider the breach for fraudulent charges made on compromised cards and for material, [p]laintiff ha[d] cured the failure, or provided reason- case management assessments. Fines can range from $5,000 to able assurances that it w[ould] comply with the PCI DSS in the $100,000 per month for continuing noncompliance violations. future.â602 Moreover, after the first breach, Specâs demonstrated Acquiring bank contracts with merchants requires indemnifi- an attempt to cure its noncompliance and provide reasonable cation for these assessments from merchants. Alternatively, ac- assurances that it would comply with the agreed upon PCI DSS quiring banks may either terminate their relationship with the standards by accounting for circumstances that led to the fail- merchant or increase transaction fees. ure and contracting with a third party to assist with compliance. Several security breaches resulting in stolen credit card data The court stated that even if it had found the breach material, it and PCI DSS standard failures have resulted in lawsuits. Mer- was cured because the parties continued to operate under the chants have either sued to obtain money held by acquiring banks contract, Specâs attempted to fix the noncompliance issues, and or credit companies; or have faced lawsuits from banks, credit Specâs paid the noncompliance fine imposed by the credit card companies, or consumers seeking remedies for data breaches.599 company. The court then held that First Data Merchant Ser- For example, in Specâs Family Partners v. First Data Merchant vicesâ withholding of two million dollars after the second data Services (Specâs), Specâs suffered two data breaches of its payment breach constituted the imposition of consequential damages. card system. After the first data breach, Specâs paid First Data But because the contract stated that Specâs was not liable for Merchant Services the contractual damages owed to the im- consequential damages, the bankâs withholding of these funds pacted credit company because of the breach. After the second resulted in a material breach of the contract. breach, First Data Merchant Services withheld over two million As discussed in Section IX, the FTC filed suit against dollars for assessments imposed by the credit card company. ÂWyndham Hotels and Resorts in 2015 as a result of three sepa- Specâs brought an action for its breach of contract claim, alleg- rate data breaches.603 The settlement agreement between the ing that First Data Merchant Services improperly withheld the FTC and Wyndham required the hotel chain to implement two million dollars in damages.600 The bank counterclaimed, security measures and annual audit procedures in compliance with PCI DSS standards.604 The settlement agreement defines 597 â Id. PCI DSS as the approved standard for credit card data security. 598 â See Visa Core Rules and Visa Product and Service Rules, Version 1.1, Visa (May 4, 2020), https://usa.visa.com/dam/VCOM/download/ B. Model Industry Standard about-visa/visa-rules-public.pdf; Mastercard Rules, Mastercard (Dec. 19, 2019), https://www.mastercard.us/content/dam/mccom/global/ The success and wide adoption of PCI DSS in protecting documents/mastercard-rules.pdf. credit card data can serve as a model for common airport data 599 â Specâs Family Partners, Limited v. First Data Merch. Servs. LLC, collection activities that implicate various data collection con- 777 Fed. Appx. 785 (6th Cir. 2019); Cmty. Bank of Trenton v. Schnuck cerns. For example, PCI DSS may be an interesting model for Markets, Inc., 887 F.3d 803 (7th Cir. 2018); Gordon v. Chipotle Mexican Grill, Inc., 344 F. Supp. 3d 1231 (D. Colo. 2018); In Re Arbyâs Rest. Grp., Inc., No. 1:17-cv-55555-WMR, 2018 U.S. Dist. LEXIS 233650 (N.D. Ga. 601 â Id. at 788. Aug. 16, 2018); Engl v. Natâl Grocers by Vitamin Cottage, Inc., No. 602 â Id. at 789-90. 15-cv-02129-MSK-NYW, 2016 U.S. Dist. LEXIS 187715 (D. Colo. June 603 âF.T.C v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 20, 2016); In re Brinker Data Incident Litig., No. 3:18-CV-686-J-32MCR, 2015). 2020 WL 691848 (M.D. Fla. Jan. 27, 2020); Genesco, Inc. v. Visa U.S.A., 604 â F.T.C v. Wyndham Worldwide Corp., No. 1:13-CV-01887-ES-JAD Inc., 296 F.R.D. 559 (M.D. Tenn. 2014). (D. N.J. Dec. 11, 2015), https://www.ftc.gov/system/files/documents/ 600 â 777 Fed. Appx. at 787-8. cases/151211wyndhamstip.pdf.
