• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

The new norm - PCI DSS v3.0 takes effect

The latest version of the Payment Card Industry Data Security Standard (“PCI DSS”) – the worldwide standard established by payment card companies to increase controls around cardholder data and reduce card fraud – took effect from 1 January 2015. Containing almost 100 changes to its predecessor, all organisations that process and/or transmit payment card data will need to take note of, and audit their processes and controls in order to ensure continued compliance with, the new PCI DSS v3.0.

Overview

Since its release in October 2010, PCI DSS v2.0 has been heavily criticised. Entities including the US National Retail Federation – globally, the largest retail advocacy body – have expressed particular concern over a general lack of clarity and bottom-up approach to enforcement and penalties, which is thought to have led to inadvertent non-compliance and a consequent targeting of penalisation towards smaller businesses.

Originally announced by the Payment Card Industry Security Standard Council (“PCI SSC”) in November 2013, PCI DSS v3.0 seeks to address these issues through the addition of nearly 100 points of clarification, guidance, and new requirements. Whilst over 80 percent of these changes are to clarify or provide guidance in respect of terms originally set out in PCI DSS v2.0, the remainder constitute new requirements with which organisations must comply.

According to the PCI SSC, these new obligations have been driven by evolving issues such as third-party security challenges and historically slow self-detection of malware by vendors. These issues were demonstrated with the very highest profile less than a month after the 2013 announcement of PCI DSS v3.0, when a prolonged failure by US retail giant Target to detect malware in point of sale devices allowed hackers to steal the payment card information of over 70 million individuals.

Key changes

All organisations should now be fully compliant with the requirements enshrined in PCI DSS v3.0, noting in particular the new obligations to:

  • Section 1 (firewall configuration): ensure their network diagrams contain all relevant firewall information, including a current diagram showing cardholder data flows;
  • Section 5 (anti-virus): evaluate evolving malware threats for systems not commonly affected by malware (including mainframes and mid-range systems), with a view to protecting payment card data processors’ systems as a whole from these types of attack. Organisations must also ensure that anti-virus solutions are actively running, and cannot be disabled or altered by users unless specifically authorised by management on a case-by-case basis;
  • Section 8 (access management): ensure that, where authentication mechanisms other than passwords (for example, physical or logical security tokens, smart cards, certificates, etc.) are used: (i) the mechanisms are linked to an individual account, and (ii) only the intended user can gain access using the given mechanism;
  • Section 9 (physical access): control physical access to sensitive areas by onsite personnel, including establishing a process to authorise access and revoke access immediately upon termination of employment. From 1 July 2015, organisations must also ensure that they protect devices that capture payment card data via direct physical interaction with the card (for example, at the point of sale) from tampering and substitution;
  • Section 11 (test systems): implement a methodology for penetration testing (for example, NIST SP800-115), and include an inventory of authorised wireless access points and business justifications to support scanning for unauthorised wireless devices; and
  • Section 12 (policy): maintain information about which PCI DSS requirements are managed by each service provider. Clarification has also been provided to ensure organisations understand that risk assessments must be performed: (i) at least annually, and (ii) after any significant changes to the environment. From 1 July 2015, service providers must also provide written agreement / acknowledgement to their customers confirming their understanding and compliance with section 12.8 (service provider PCI DSS responsibilities).

Consequences

Non-compliance with PCI DSS, and any resulting data breach, may result in significant losses through widespread reputational damage, claims pursuant to applicable data protection legislation, and fines levied directly against non-compliant entities by the various payment card companies behind PCI DSS. The total cost of the Target data breach previously mentioned, for example, has been reported as amounting to approximately $148 million as at the date of publication.

Visa has:

  • reiterated its view that organisations must become PCI compliant;
  • increasedits fines for non-compliance with PCI DSS v3.0 by service providers and level 1 / level 2 merchants, to up to $25,000 per month; and
  • confirmed that it shall remove offending organisations from the Visa Global Registry of Service Providers.

Whilst other payment card companies have not yet confirmed whether they intend to follow suit, non-compliance with PCI DSS v3.0 will inevitably be a costly and damaging affair.

Conclusion

Organisations that handle payment card information, whether through storage or transmission, must ensure that they are now fully compliant with the relevant aspects of PCI DSS v3.0 in order to avoid potentially significant fines, as well as reputational damage which may potentially be even more harmful to business profitability. Whilst the majority of changes made to PCI DSS v2.0 under the new standards are clarificatory, the addition of several new requirements means all organisations will need to analyse and update their systems and procedures in order to avoid penalisation by the PCI SSC, even if they were previously compliant with PCI DSS v2.0.

If a compliance audit has not already been undertaken, organisations should not delay in seeking to assess gaps between the requirements of PCI DSS v2.0 and those in PCI DSS v3.0, identifying issues arising out of existing processes and documenting such (in addition to the resolution required) in a detailed plan for implementation. Organisations should seek to address the requirements of PCI DSS v3.0 in affected policies and procedures, and train relevant individuals on the revised standards to ensure ongoing compliance.   

In line with advice from the PCI SCC, organisations should now look towards taking a proactive approach to protecting cardholder data, by focusing on security and not compliance, by making PCI DSS a business-as-usual practice through the introduction of security measures into business-as-usual activities, and by implementing internal best practices for maintaining on-going PCI DSS compliance.

For further information, please contact Chris Hill.