Lawyer Article

Rules and guidelines protecting confidential customer information have long been part of the health care and financial services industries. Now, similar rules have been put into place for retailers, service providers and any other business that accepts payment cards. As in other fields, the stakes for non-compliance are high.

The payment card industry is putting the onus on merchants to protect confidential customer information using a new set of industry standards. Merchants who fail to follow the terms of these new guidelines may face liability for fines, liability for the fraudulent charges resulting from a data breach, and a revocation of credit card service, not to mention the bad press that goes along with a privacy breach.

Version 1.1 of the Payment Card Industry (PCI) Data Security Standard took effect Jan. 1, 2007, and was created by representatives from American Express, Discover, MasterCard, JCB and Visa International. Merchants who accept payment cards (both credit and debit) must establish a number of security procedures including:

• Maintaining a secure computer network, which includes installing firewall configurations;
• Protecting stored customer data;
• Encrypting customer data when it is transmitted;
• Restricting access to customer data on a need-to-know basis;
• Regularly testing security procedures; and
• Having a policy to address customer data security.

Some merchants also may be audited to ensure that they are meeting these new standards.

While technology such as firewalls can improve data security, proper procedures for employees are vital. Most security breaches take place because of human error, he said, and training employees in how to handle confidential customer information is a company’s best defense.

Also, companies that fail to establish and enforce privacy procedures run the risk of lawsuits from customers should a security breach happen.

If you do not have the right policies and procedures in place, you do not have an excuse if there is a security breach.

Womble Carlyle currently is advising a number of retail and service clients on complying with the new PCI Data Security Standard. Our team of experienced privacy and data protection attorneys can help companies stay ahead of the new standards and avoid potential data security problems.

Ted Claypoole – Ted is a senior member of the firm’s Intellectual Property practice group, with extensive experience in privacy and data security matters. He has worked with clients ranging from financial institutions to major manufacturers. Before coming to Womble Carlyle, he was assistant general counsel for Bank of America, where he was charged with protecting the company’s intellectual property. He has written about data security issues for a number of publications, including Southeast Tech Wire and the Charlotte Business Journal.
Phone: (704) 331-4910
Fax: (704) 338-7816
e-mail

Mike Hubbard – Mike is a nationally-recognized attorney in the increasingly important field of privacy and data protection law. Mike’s broad practical experience in privacy and security matters includes implementing privacy and data protection programs, negotiating privacy and data protection agreements, and helping clients manage privacy concerns in a cost-effective manner. He also is a frequent speaker on privacy and data protection issues and has written extensively about these topics.