Corporate Banner
MML&K Gov
  

June 2014

Quick Links
McBrayer Website 

  MML&K Government Solutions Website  

Our Attorneys 

Our Practice Areas 

Client Feedback Survey  

Follow us on Twitter     View our profile on LinkedIn 

Understanding PCI Compliance

 

Authored by  H. Trigg Mitchell   

Payment Card Industry Data Security Standard (or, "PCI") is simply a series of requirements mandating that all merchants process, store and transmit credit card data within a secure environment. It applies to any and all businesses that possess a Merchant ID. Launched in 2006, the initiative was aimed at strengthening account security throughout each step of the credit card transaction process. PCI is managed by an independent body called PCI Security Standards Council, which consists of representatives from major card brands like Visa, MasterCard, AMEX and Discover. It is important to note that the payment brands and acquirers are responsible for enforcing PCI compliance, not the Security Standards Council.

 

A business's required level of PCI compliance is determined by its transaction volume in a 12-month period. Of course, the larger the business is, the more stringent the compliance requirements are. Payment brands, at their discretion, may fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream until it reaches the merchant. Furthermore, after receiving a fine, the bank will likely terminate its relationship or increase transaction fees with the merchant.

 

The strength of PCI security has been questioned in recent months in wake of massive, multi-million dollar security breaches. Until there is a stronger system or stronger hacker deterrents, however, businesses must abide by PCI standards to ensure they are doing what they can to protect their customers and their business.

 

Kentucky's New Breach Notification Legislation

J. Chris Nolan

Data breaches, whether big or small, can leave customers exposed to fraudulent activity. You may recall that in January 2014, Target reported that an estimated 70 to 110 million of its customers had personal information (namely, credit and debit card numbers) stolen in a widespread data breach during the holiday season. While the size of your business may be nowhere near the size of Target's, you undoubtedly face the same kind of security threats. Unfortunately, with smaller businesses, the impact of a breach can be devastating...quickly morphing into an economic and reputational crisis - leaving customers questioning not only security systems, but the business itself. 

H. Trigg Mitchell

No business's security system is safe from hackers. What we can learn from Target and other big-name businesses (i.e., Snapchat, Michaels, Neiman Marcus) involved in security snafus is that it is not always the breach, but often the responsiveness and reaction from the company that determines the success of its recovery. Thanks to new legislation, businesses in Kentucky now have a set methodology for reaching out to customers when things go awry. Almost all other states (Kentucky is the 47th) have enacted breach notification legislation, making it a legal obligation to inform customers when a data breach occurs that could leave them vulnerable to identify theft.

 

Pursuant to Kentucky's House Bill 232's provisions, a security breach is defined as "the unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder [i.e., business] as part of a database regarding multiple individuals that causes or leads the information holder to believe has caused or will cause identity theft or fraud against a Kentucky resident."

 

"Personally identifiable information" includes an individual's first name or first initial and last name in combination with one or more of the following unredacted data elements: (1) Social Security number; (2) driver's license number; or (3) account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.  

(READ FULL ARTICLE)


When confidential data is on the line, so is your reputation. Kentucky's new notification duties on confidential data require your attention.

Are you ready?

McBrayer and Business Lexington present: 
Data Protection Lunch Seminar
July 17th
11:30 - 2:00
Commerce Lexington
330 E. Main St. #100
Lexington, KY

Join us as we discuss your legal obligations and provide real-world advice about how to create a breach response plan.

Who should attend?
  • Are you a business that has customer information?
  • A non-profit with donor financial data?
  • A business with government contracts?

Failing to plan is planning to fail.

Great Blog Reads

Visit our blog Business & Corporate Law

- Inherited IRAs Are Not Protected Assets in Bankruptcy

- Does Your Business Use Surcharges?
Read More Here.

- The Tax Risks of Misclassifying Employees
Read More Here.


Visit our blog Employment Law

- U.S. DOL Issues Proposed Minimum Wage Regulations for Federal Contractors
Read More Here.

- Landmark Decision Affects Non-Compete Agreements in Kentucky
Read More Here.

- NLRB Decision Limits Employer's Off-Duty Policy
Read More Here.


Visit our blog Health Care Law

- Medicare Part D Prescribers Must Act Now
Read More Here.

- Physicians Facing an Increased Risk of Qui Tam Suits
Read More Here.

- Physician Reminder: On-Site Supervision of PA's No Longer Required
Read More Here.

 

Even though the content in this McBrayer employment law alert is for informational purposes and not legal advice, state and federal law obligates us to inform you that THIS IS AN ADVERTISEMENT.  You have received this advisory because you are a client or friend of the firm.  This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents of this publication are intended solely for general purposes, and you are urged to consult a lawyer concerning your own situation and any specific legal questions you may have. The publication is not intended and should not be considered as a solicitation to provide legal services. Services may be performed by other attorneys in the firm.  

   

Copyright© 2014 McBrayer, McGinnis, Leslie & Kirkland, PLLC. All Rights Reserved.