Craig Armstrong

This Practice Note provides an introduction to the Payment Card Industry Data Security Standards (PCI DSS) for commercial lawyers. It explains the origins of PCI DSS and the Payment Card Industry Security Standards Council (PCI SSC), the entities to which PCI DSS applies, PCI DSS principles and requirements, steps that are required for compliance with PCI DSS, the requirements for ongoing compliance, enforcement, including card scheme fines and interaction with UK privacy and data security laws and standards. Concepts examined include PIN Transaction Security (PTS), Payment Application Data Security Standard (PA-DSS), tokenisation and shared-hosting providers. It also identifies certain key contractual protections that should be sought by merchants from the service providers.

This is a precedent systems integration agreement, which is intended for use where a customer engages a supplier to deliver an integrated solution that operates within the customer’s IT environment. It covers the procurement, delivery and installation of hardware and software, the supply of development and integration services, acceptance testing, and also the provision of ancillary services such as maintenance and/or training to customer staff on how to use the solution. The agreement is drafted with a pro-customer bias, particularly in relation to warranties, indemnities, liability and termination.

This is a precedent systems integration agreement, which is intended for use where a supplier is delivering an integrated solution that operates within the customer’s IT environment. It covers the procurement, delivery and installation of hardware and software, the supply of development and integration services, acceptance testing, and also the provision of ancillary services such as maintenance and/or training to customer staff on how to use the solution. The agreement is drafted with a pro-supplier bias.