The Law Of Data
d oz i e r
Merchants are responsible; possible “econoMic ruin”
i don’t nEEd to rEcitE thE to grow revenue, increase margins, reduce
many security breaches that have led by john dozier overhead and maintain focus on all of the key
to major financial losses for companies financial metrics that drive success, you have
during the past 12 months. Every business yet another hoop to jump through in order to run
should already know the risks of leaving credit requirements of PCI DSS, so I have a pretty good your online business. There is no direct payback
card and account information exposed. perspective on the data security arena and how here in terms of becoming compliant with PCI
Basically, the risk is total loss of your business, the laws and regulations have developed and are DSS. It is a cost of doing business, without which
and possibly your personal assets as well. And continuing to develop. you cannot accept credit cards, and without
the risks, of course, come from many directions. Basically, depending upon your business which you increase dramatically your risk of loss.
If you process credit cards, your contract rating, which is determined by risk and A final word of caution is in order.
mandates PCI DSS compliance on an ongoing transaction volume, you have a sliding scale Compliance is not something to hand over to
basis with huge penalties flowing from breaches.
The Federal Trade Commission could pursue
just about any state attorney general could sue
for violations of a state’s data security disclosure
laws, enterprising lawyers could file class action
Basically, the risk is total loss of your
lawsuits and every customer could sue for
damages. Data loss is just an ugly problem to
business, and possibly your personal
have, often leading directly to economic ruin.
That is the problem. The solution, fortu-
assets as well. And the risks, of course,
nately, has been laid out for you in the PCI DSS
guidelines. These are rules issued by Visa,
come from many directions.
MasterCard, American Express and others
with which you must comply in order to accept
credit cards. The standards are somewhat
burdensome, but not unduly so. I founded one of obligations. Everyone who accepts credit your “IT guy” for execution. The IT manager is all
of the first ecommerce companies focused on cards online must build and maintain a secure too often more than happy to undertake proj-
the electronic movement of credit card account network, manage passwords proactively, ects for which he is ill equipped to complete in a
information between hundreds of vendors protect stored data, encrypt transmissions, quality way. Keep in mind that he is the guy who
in the early 1990s, and we ended up moving use quality anti-virus software, maintain secure built the systems, or at least manages them, and
millions of transactions through the web for systems and applications, restrict data access a quality review of your system vulnerabilities
American Express, Citicorp, Sears, American to need-to-know personnel, restrict physical and implementation of compliance standards
General Finance and First USA. At the time, we access, monitor each authorized user indepen- and requirements is not something he should be
implemented security standards far beyond the dently, track all network resource access and handling. That approach has conflict of interest
cardholder data access, and maintain a written written all over it.
information security policy. Then, depending
John Dozier is president of Dozier upon your merchant ranking, you will have to
Internet Law, PC, a law firm repre- demonstrate ongoing compliance in a self-
senting small and mid-sized online reporting mode, through internal auditing, or for The information in this article is not
businesses. He can be reached at high risk and high volume merchants, possibly intended to be legal advice. Always
firstname.lastname@example.org or online at consult your attorney when faced
through independent external auditing.
with legal issues.
As your small or mid-size business struggles
42 //// Practical EcommErcE //// September/october 2007