National Academies Press: OpenBook

Legal Implications of Data Collection at Airports (2021)

Chapter: XI. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) AND AIRPORTS

« Previous: X. INTERPLAY OF PRIVACY AND OPEN GOVERNMENT RECORDS
Page 57
Suggested Citation:"XI. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) AND AIRPORTS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 57
Page 58
Suggested Citation:"XI. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) AND AIRPORTS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 58

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACRP LRD 42 57 • Maintain a vulnerability management program • Implement strong access control measures • Regularly monitor and test networks • Maintain an information security policy PCI DSS established the following twelve security standards:593 • Install and maintain a firewall configuration; • Do not use vendor-supplied default passwords and other security parameters; • Protect stored cardholder data; • Encrypt transmission of cardholder data across open, public networks; • Use and regularly update antivirus software or programs; • Develop and maintain secure systems and applications; • Restrict access to cardholder data by business need-to- know; • Assign a unique ID to each person with computer access; • Restrict physical access to cardholder data; • Track and monitor all access to network resources and cardholder data; • Regularly test security systems and processes; and • Maintain a policy that addresses information security for employees and contractors. Airport operators may have many roles within the PCI en- vironment. ACRP RRD 11 discusses potential airport operators’ roles and technical responsibilities. Airports may act as mer- chants by accepting credit or debit cards as a form of payment or as service providers through their networks or applications that store, process, or transmit data and may contract with third parties to provide credit card services on their behalf.594 Air- ports’ positions in the data collection processes will affect their responsibilities to secure data and potential liabilities. In determining PCI DSS responsibility, airports first must assess their roles in the process and contractual obligations. Sec- ond, airports must consider their “assets” to secure data “touch- points.”595 Touchpoints include places where cardholders’ data is stored, received, sent, or processed.596 Some potential PCI DSS airport touchpoints are: • Common Use Kiosks • Airport Networks • Wi-Fi • Airport Business Operations • Parking Revenue Control Systems 593 Maintaining Payment Security, PCI Sec. Standards Council, https://www.pcisecuritystandards.org/pci_security/maintaining_ payment_security. 594 Id. at 15-16. 595 Id. at 14. 596 Id. costs of the production of data need to be accounted for in the determination to collect data. While some states have provisions allowing for government recovery of fees and costs in connection with the production of some records, such recovery is not permitted in all cases. Similarly, some states do allow for differential charges when the request is for a commercial purpose, but most do not. The respective policies of states can be found in the NACo and Reports Committee resources referenced in this section. With continued focus on openness and transparency in gov- ernment, state FOIA provisions should be considered in planning for airport data collection and sharing. Airports engaged in data collection should be particularly mindful of the following factors: • Protection or lack of protections for proprietary data and trade secrets; • Requirements and restrictions on production of private personal information; and • The volume of Requests. The ability of the airport to protect data may well shape what can be collected or what other stakeholders may be willing to share. XI. PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) AND AIRPORTS Through the Payment Card Industry Security Standards Council, credit card companies set PCI DSS standards to reduce the likelihood of credit card fraud.590 The standards concern the security of credit card information and systems that process credit card information to include requirements for security management, policies, procedures, network architecture, soft- ware design, and other protective measures.591 Requirements may differ based on the size of the organization and volume of transactions processed per year. Additionally, merchants that suffer a breach may be required to increase their validation level. According to ACRP RRD 11: Helping Airports Understand the Payment Card Industry Data Security Standard,592 there are six objectives of PCI DSS: • Build and Maintain a secure network • Protect cardholder data 590 PCI is a collaboration between American Express, Discover, JCB, Mastercard, and Visa. 591 PCI DSS is not a federal statutory requirement, though some states have legislation referencing PCI DSS. Forty-eight states and D.C. have enacted laws requiring merchants to report security breaches. See Security Breach Notification Laws, Nat’l Conf. of State Leg. (July 17, 2020), https://www.ncsl.org/research/telecommunications-and- information- technology/security-breach-notification-laws.aspx. 592 Helping Airports Understand the Payment Card Indus- try Data Security Standard (PCI DSS), (Airport Cooperative Research Program Report 11, Oct. 2020), https://www.nap.edu/ read/14436/chapter/1.

58 ACRP LRD 42 alleging that the first data breach constituted a material breach of the parties’ contract. The parties’ contract established fees and charges; rules, policies, and regulations that included adop- tion of credit card companies’ rules and regulations, including compliance with PCI DSS and the imposition of an assessment for noncompliance; and procedures for First Data Merchant Services to collect and store settlement funds. The contract also obligated Spec’s to indemnify First Data Merchant Services for failure to comply with PCI DSS but specified that Spec’s was not liable for “special, incidental, or consequential losses or damages.”601 On cross-motions for summary judgment, the court granted Spec’s motion and denied First Data Merchant Service’s. Al- though Spec’s conceded it was not compliant with nine of 12 PCI DSS standards and therefore in breach of the contract, the court found that the breach was not material because “both parties continue[d] to perform under the Agreement… support[ing] the conclusion that [d]efendant did not consider the breach material, [p]laintiff ha[d] cured the failure, or provided reason- able assurances that it w[ould] comply with the PCI DSS in the future.”602 Moreover, after the first breach, Spec’s demonstrated an attempt to cure its noncompliance and provide reasonable assurances that it would comply with the agreed upon PCI DSS standards by accounting for circumstances that led to the fail- ure and contracting with a third party to assist with compliance. The court stated that even if it had found the breach material, it was cured because the parties continued to operate under the contract, Spec’s attempted to fix the noncompliance issues, and Spec’s paid the noncompliance fine imposed by the credit card company. The court then held that First Data Merchant Ser- vices’ withholding of two million dollars after the second data breach constituted the imposition of consequential damages. But because the contract stated that Spec’s was not liable for consequential damages, the bank’s withholding of these funds resulted in a material breach of the contract. As discussed in Section IX, the FTC filed suit against Wyndham Hotels and Resorts in 2015 as a result of three sepa- rate data breaches.603 The settlement agreement between the FTC and Wyndham required the hotel chain to implement security measures and annual audit procedures in compliance with PCI DSS standards.604 The settlement agreement defines PCI DSS as the approved standard for credit card data security. B. Model Industry Standard The success and wide adoption of PCI DSS in protecting credit card data can serve as a model for common airport data collection activities that implicate various data collection con- cerns. For example, PCI DSS may be an interesting model for 601 Id. at 788. 602 Id. at 789-90. 603 F.T.C v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). 604 F.T.C v. Wyndham Worldwide Corp., No. 1:13-CV-01887-ES-JAD (D. N.J. Dec. 11, 2015), https://www.ftc.gov/system/files/documents/ cases/151211wyndhamstip.pdf. Touchpoints also include electronic and non-electronic data storage.597 Third, airports must consider whether they meet the PCI DSS requirements for the specific touchpoints. A. Contractual Duties and Liabilities Merchants processing credit card data typically have the burden of securing the data. A chain of contracts exists from the credit company through the banks and service providers to the merchant. Major credit card companies’ rules require PCI DSS compliance and impose added standards for acquiring banks and their merchants and third-party agents.598 The credit company rules define penalties for non- compliance. These rules may include fines or enhanced transac- tion charges typically passed down the contractual chain. Credit companies impose assessments on or fine acquiring banks when they or their merchants have a breach or fail to comply with PCI DSS requirements. Assessments can include losses in- curred to replace compromised cards or to refund cus tomers for fraudulent charges made on compromised cards and for case management assessments. Fines can range from $5,000 to $100,000 per month for continuing noncompliance violations. Acquiring bank contracts with merchants requires indemnifi- cation for these assessments from merchants. Alternatively, ac- quiring banks may either terminate their relationship with the merchant or increase transaction fees. Several security breaches resulting in stolen credit card data and PCI DSS standard failures have resulted in lawsuits. Mer- chants have either sued to obtain money held by acquiring banks or credit companies; or have faced lawsuits from banks, credit companies, or consumers seeking remedies for data breaches.599 For example, in Spec’s Family Partners v. First Data Merchant Services (Spec’s), Spec’s suffered two data breaches of its payment card system. After the first data breach, Spec’s paid First Data Merchant Services the contractual damages owed to the im- pacted credit company because of the breach. After the second breach, First Data Merchant Services withheld over two million dollars for assessments imposed by the credit card company. Spec’s brought an action for its breach of contract claim, alleg- ing that First Data Merchant Services improperly withheld the two million dollars in damages.600 The bank counterclaimed, 597 Id. 598 See Visa Core Rules and Visa Product and Service Rules, Version 1.1, Visa (May 4, 2020), https://usa.visa.com/dam/VCOM/download/ about-visa/visa-rules-public.pdf; Mastercard Rules, Mastercard (Dec. 19, 2019), https://www.mastercard.us/content/dam/mccom/global/ documents/mastercard-rules.pdf. 599 Spec’s Family Partners, Limited v. First Data Merch. Servs. LLC, 777 Fed. Appx. 785 (6th Cir. 2019); Cmty. Bank of Trenton v. Schnuck Markets, Inc., 887 F.3d 803 (7th Cir. 2018); Gordon v. Chipotle Mexican Grill, Inc., 344 F. Supp. 3d 1231 (D. Colo. 2018); In Re Arby’s Rest. Grp., Inc., No. 1:17-cv-55555-WMR, 2018 U.S. Dist. LEXIS 233650 (N.D. Ga. Aug. 16, 2018); Engl v. Nat’l Grocers by Vitamin Cottage, Inc., No. 15-cv-02129-MSK-NYW, 2016 U.S. Dist. LEXIS 187715 (D. Colo. June 20, 2016); In re Brinker Data Incident Litig., No. 3:18-CV-686-J-32MCR, 2020 WL 691848 (M.D. Fla. Jan. 27, 2020); Genesco, Inc. v. Visa U.S.A., Inc., 296 F.R.D. 559 (M.D. Tenn. 2014). 600 777 Fed. Appx. at 787-8.

Next: XII. INTERNATIONAL EFFORTS »
Legal Implications of Data Collection at Airports Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

As technology evolves, airports and their partners collect more data from passengers, employees, tenants, concessionaires, airlines, and others. This data is used in many ways, including for facility management, security, ground transportation, marketing, understanding passenger preferences, and enhancing the travel experience.

The TRB Airport Cooperative Research Program's ACRP Legal Research Digest 42: Legal Implications of Data Collection at Airports provides a survey of applicable law; considerations for the collection and safekeeping of data; and a review of the issues that arise related to data collection among airports, their tenants, and other users. It also offers an understanding of the expansion in law around data collection and use.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!