Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42 57 â¢ Maintain a vulnerability management program â¢ Implement strong access control measures â¢ Regularly monitor and test networks â¢ Maintain an information security policy PCI DSS established the following twelve security standards:593 â¢ Install and maintain a firewall configuration; â¢ Do not use vendor-supplied default passwords and other security parameters; â¢ Protect stored cardholder data; â¢ Encrypt transmission of cardholder data across open, public networks; â¢ Use and regularly update antivirus software or programs; â¢ Develop and maintain secure systems and applications; â¢ Restrict access to cardholder data by business need-to- know; â¢ Assign a unique ID to each person with computer access; â¢ Restrict physical access to cardholder data; â¢ Track and monitor all access to network resources and cardholder data; â¢ Regularly test security systems and processes; and â¢ Maintain a policy that addresses information security for employees and contractors. Airport operators may have many roles within the PCI en- vironment. ACRP RRD 11 discusses potential airport operatorsâ roles and technical responsibilities. Airports may act as mer- chants by accepting credit or debit cards as a form of payment or as service providers through their networks or applications that store, process, or transmit data and may contract with third parties to provide credit card services on their behalf.594 Air- portsâ positions in the data collection processes will affect their responsibilities to secure data and potential liabilities. In determining PCI DSS responsibility, airports first must assess their roles in the process and contractual obligations. Sec- ond, airports must consider their âassetsâ to secure data âtouch- points.â595 Touchpoints include places where cardholdersâ data is stored, received, sent, or processed.596 Some potential PCI DSS airport touchpoints are: â¢ Common Use Kiosks â¢ Airport Networks â¢ Wi-Fi â¢ Airport Business Operations â¢ Parking Revenue Control Systems 593 Maintaining Payment Security, PCI Sec. Standards Council, https://www.pcisecuritystandards.org/pci_security/maintaining_ payment_security. 594 Id. at 15-16. 595 Id. at 14. 596 Id. costs of the production of data need to be accounted for in the determination to collect data. While some states have provisions allowing for government recovery of fees and costs in connection with the production of some records, such recovery is not permitted in all cases. Similarly, some states do allow for differential charges when the request is for a commercial purpose, but most do not. The respective policies of states can be found in the NACo and Reports Committee resources referenced in this section. With continued focus on openness and transparency in gov- ernment, state FOIA provisions should be considered in planning for airport data collection and sharing. Airports engaged in data collection should be particularly mindful of the following factors: â¢ Protection or lack of protections for proprietary data and trade secrets; â¢ Requirements and restrictions on production of private personal information; and â¢ The volume of Requests. The ability of the airport to protect data may well shape what can be collected or what other stakeholders may be willing to share. XI. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) AND AIRPORTS Through the Payment Card Industry Security Standards Council, credit card companies set PCI DSS standards to reduce the likelihood of credit card fraud.590 The standards concern the security of credit card information and systems that process credit card information to include requirements for security management, policies, procedures, network architecture, soft- ware design, and other protective measures.591 Requirements may differ based on the size of the organization and volume of transactions processed per year. Additionally, merchants that suffer a breach may be required to increase their validation level. According to ACRP RRD 11: Helping Airports Understand the Payment Card Industry Data Security Standard,592 there are six objectives of PCI DSS: â¢ Build and Maintain a secure network â¢ Protect cardholder data 590 PCI is a collaboration between American Express, Discover, JCB, Mastercard, and Visa. 591 PCI DSS is not a federal statutory requirement, though some states have legislation referencing PCI DSS. Forty-eight states and D.C. have enacted laws requiring merchants to report security breaches. See Security Breach Notification Laws, Natâl Conf. of State Leg. (July 17, 2020), https://www.ncsl.org/research/telecommunications-and- information- technology/security-breach-notification-laws.aspx. 592 Helping Airports Understand the Payment Card Indus- try Data Security Standard (PCI DSS), (Airport Cooperative Research Program Report 11, Oct. 2020), https://www.nap.edu/ read/14436/chapter/1.
58 ACRP LRD 42 alleging that the first data breach constituted a material breach of the partiesâ contract. The partiesâ contract established fees and charges; rules, policies, and regulations that included adop- tion of credit card companiesâ rules and regulations, including compliance with PCI DSS and the imposition of an assessment for noncompliance; and procedures for First Data Merchant Services to collect and store settlement funds. The contract also obligated Specâs to indemnify First Data Merchant Services for failure to comply with PCI DSS but specified that Specâs was not liable for âspecial, incidental, or consequential losses or damages.â601 On cross-motions for summary judgment, the court granted Specâs motion and denied First Data Merchant Serviceâs. Al- though Specâs conceded it was not compliant with nine of 12 PCI DSS standards and therefore in breach of the contract, the court found that the breach was not material because âboth parties continue[d] to perform under the Agreementâ¦ support[ing] the conclusion that [d]efendant did not consider the breach material, [p]laintiff ha[d] cured the failure, or provided reason- able assurances that it w[ould] comply with the PCI DSS in the future.â602 Moreover, after the first breach, Specâs demonstrated an attempt to cure its noncompliance and provide reasonable assurances that it would comply with the agreed upon PCI DSS standards by accounting for circumstances that led to the fail- ure and contracting with a third party to assist with compliance. The court stated that even if it had found the breach material, it was cured because the parties continued to operate under the contract, Specâs attempted to fix the noncompliance issues, and Specâs paid the noncompliance fine imposed by the credit card company. The court then held that First Data Merchant Ser- vicesâ withholding of two million dollars after the second data breach constituted the imposition of consequential damages. But because the contract stated that Specâs was not liable for consequential damages, the bankâs withholding of these funds resulted in a material breach of the contract. As discussed in Section IX, the FTC filed suit against Wyndham Hotels and Resorts in 2015 as a result of three sepa- rate data breaches.603 The settlement agreement between the FTC and Wyndham required the hotel chain to implement security measures and annual audit procedures in compliance with PCI DSS standards.604 The settlement agreement defines PCI DSS as the approved standard for credit card data security. B. Model Industry Standard The success and wide adoption of PCI DSS in protecting credit card data can serve as a model for common airport data collection activities that implicate various data collection con- cerns. For example, PCI DSS may be an interesting model for 601 Id. at 788. 602 Id. at 789-90. 603 F.T.C v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). 604 F.T.C v. Wyndham Worldwide Corp., No. 1:13-CV-01887-ES-JAD (D. N.J. Dec. 11, 2015), https://www.ftc.gov/system/files/documents/ cases/151211wyndhamstip.pdf. Touchpoints also include electronic and non-electronic data storage.597 Third, airports must consider whether they meet the PCI DSS requirements for the specific touchpoints. A. Contractual Duties and Liabilities Merchants processing credit card data typically have the burden of securing the data. A chain of contracts exists from the credit company through the banks and service providers to the merchant. Major credit card companiesâ rules require PCI DSS compliance and impose added standards for acquiring banks and their merchants and third-party agents.598 The credit company rules define penalties for non- compliance. These rules may include fines or enhanced transac- tion charges typically passed down the contractual chain. Credit companies impose assessments on or fine acquiring banks when they or their merchants have a breach or fail to comply with PCI DSS requirements. Assessments can include losses in- curred to replace compromised cards or to refund cus tomers for fraudulent charges made on compromised cards and for case management assessments. Fines can range from $5,000 to $100,000 per month for continuing noncompliance violations. Acquiring bank contracts with merchants requires indemnifi- cation for these assessments from merchants. Alternatively, ac- quiring banks may either terminate their relationship with the merchant or increase transaction fees. Several security breaches resulting in stolen credit card data and PCI DSS standard failures have resulted in lawsuits. Mer- chants have either sued to obtain money held by acquiring banks or credit companies; or have faced lawsuits from banks, credit companies, or consumers seeking remedies for data breaches.599 For example, in Specâs Family Partners v. First Data Merchant Services (Specâs), Specâs suffered two data breaches of its payment card system. After the first data breach, Specâs paid First Data Merchant Services the contractual damages owed to the im- pacted credit company because of the breach. After the second breach, First Data Merchant Services withheld over two million dollars for assessments imposed by the credit card company. Specâs brought an action for its breach of contract claim, alleg- ing that First Data Merchant Services improperly withheld the two million dollars in damages.600 The bank counterclaimed, 597 Id. 598 See Visa Core Rules and Visa Product and Service Rules, Version 1.1, Visa (May 4, 2020), https://usa.visa.com/dam/VCOM/download/ about-visa/visa-rules-public.pdf; Mastercard Rules, Mastercard (Dec. 19, 2019), https://www.mastercard.us/content/dam/mccom/global/ documents/mastercard-rules.pdf. 599 Specâs Family Partners, Limited v. First Data Merch. Servs. LLC, 777 Fed. Appx. 785 (6th Cir. 2019); Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803 (7th Cir. 2018); Gordon v. Chipotle Mexican Grill, Inc., 344 F. Supp. 3d 1231 (D. Colo. 2018); In Re Arbyâs Rest. Grp., Inc., No. 1:17-cv-55555-WMR, 2018 U.S. Dist. LEXIS 233650 (N.D. Ga. Aug. 16, 2018); Engl v. Natâl Grocers by Vitamin Cottage, Inc., No. 15-cv-02129-MSK-NYW, 2016 U.S. Dist. LEXIS 187715 (D. Colo. June 20, 2016); In re Brinker Data Incident Litig., No. 3:18-CV-686-J-32MCR, 2020 WL 691848 (M.D. Fla. Jan. 27, 2020); Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559 (M.D. Tenn. 2014). 600 777 Fed. Appx. at 787-8.