Skip to Main Content
Practices

Data Protection: Payment Card Industry Security

Print Version

Baker Donelson's privacy professionals regularly advise clients on how to implement best practices to proactively ensure PCI-DSS compliance and minimize potential exposure.

Practice Overview


From major retailers to small businesses, all companies that accept, store, or transmit credit card data must comply with the Payment Card Industry Security Standards Council's (PCI SSC) Data Security Standards (DSS). Failure to comply with the PCI-DSS can negatively impact a company's reputation and have significant legal repercussions. As companies that are subject to PCI-DSS continue to be targets of sophisticated cyberattacks, complying with PCI-DSS remains paramount in avoiding potential data breaches and cyber incidents. As businesses collect substantial amounts of information on their customers, protecting that information has become increasingly difficult. When that data includes credit or debit card information, complying with mandatory security standards can seem even more complex.

Baker Donelson's privacy professionals regularly advise clients on how to implement best practices to proactively ensure PCI-DSS compliance and minimize potential exposure. This includes working with clients to:

  • Assess the level of required PCI-DSS compliance
  • Evaluate relationships with vendors that may process credit card data on your company's behalf
  • Identify and direct investigations into suspected data incidents involving credit card data
  • Assist with regulatory reporting obligations

Whether your business has suffered a large-scale compromise, such as a ransomware attack, or is dealing with an inadvertent disclosure of an individual's credit card information, our team can help.

More than one-third of our Data Protection, Privacy and Cybersecurity attorneys are certified by the International Association of Privacy Professionals (IAPP) as Certified Information Privacy Professionals (CIPP/US, CIPP/E and/or CIPP/C) and two attorneys who are Certified Information Privacy Managers (CIPM). In addition, we have a team member certified in the Law of Data Security and Investigations (GLEG) and another who is certified as a Payment Card Industry Professional (PCIP).

Our Financial Services Data Protection, Privacy and Cybersecurity attorneys advise businesses on all aspects of PCI DSS compliance, including:

  • Building and maintaining a secure network
  • Protecting cardholder data
  • Managing relationships with third-party payment processors
  • Maintaining a vulnerability management program
  • Implementing strong access-control measures
  • Regularly monitoring and testing networks
  • Maintaining an information security policy
  • Maintaining an incident response plan
  • Employee training
  • Leading investigations and working with industry experts to assist with detection, containment and recovery in data incidents affecting cardholder data
  • Assisting with assessment and drafting of any state and federal notification obligations
  • Managing communications with vendors, employees, customers, and other stakeholders
  • Responding to any state and federal government investigations that result from a cardholder data incident
  • Providing analysis to assist in developing post-incident remediation
  • Handling litigation, including class action cases, involving data incident issues
  • Represented national retailer managing cyber incident affecting customer credit card information, including working with forensic vendor to contain incident, conducting multi-state breach notification analysis, and notifying major credit card brands.

  • Advised a leading e-commerce company that was severely impacted by a phishing attack on multiple employee e-mail accounts that required assessment of regulatory issues under the Payment Card Industry Data Security Standards (PCI-DSS) and responding to regulatory investigations by state attorneys general.

  • Represented e-commerce startup company on all aspects of PCI-DSS compliance, including user terms and conditions, privacy policies, and negotiating contracts with third-party vendors.

  • Counseled retailer on complying with PCI-DSS requirements.

  • Assisted merchant errantly included on MATCH list.

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept