Pros and Cons of the Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (the PCI DSS) establishes the self-described minimum data protection measures required of all entities involved in payment card transactions. The PCI DSS consists of 12 basic requirements, along with testing procedures and guidance designed to assist entities in meeting each requirement. The PCI DSS itself is not a law or regulation, and the PCI Security Standards Council has no enforcement authority.

Many businesses are confused about what their obligations are under the standard and what liability they may still bear in the event of a data breach. The short answer is that while the PCI DSS provides guidance as to appropriate data protection measures and is contractually required by many card processing agreements, compliance with PCI DSS does not necessarily protect businesses from data breaches or related costs.

In their article for Law360, Sutherland attorneys Robert Pile and Kristin Ward Cleare discuss the fundamentals of PCI DSS, its benefits and limitations.

View the full article

Back to top