Discount class action theories broaden in California

The plaintiffs’ bar has a new angle on retailer discounting cases, which attack California retailers who discount merchandise by showing an “original” or “former” price next to a much lower, discounted price to imply tremendous savings.

Initially, plaintiffs relied on California’s False Advertising Law, Unfair Competition Law, and the Consumer Legal Remedies Act to allege that consumers are deceived into purchasing items based on allegedly “false” discounts. The FAL specifically prohibits discount “advertising” of this sort unless the former price was “the prevailing market price… within three months” prior.

Using these cases as a springboard, plaintiffs have recently developed a new liability theory – attacking percentage discount sales – which is proving difficult for defendants to shake.

For example, in Knapp v., Inc., plaintiff alleged he was enticed to purchase framed artwork during a 40% off sale ending at midnight that day, only to later learn that a 45% off sale commenced at 12:01 a.m. Plaintiff further urged that defendant consistently offered discounts ranging from 30 to 50 percent, rarely offering goods at the full retail price, thereby falsely inducing consumers to purchase under the mistaken belief they were receiving a bargain.

Even though plaintiff admitted that a special discount code had to be entered to receive the sale price, meaning some consumers were paying full price, the district court denied the defendant’s motion to dismiss based on pure allegations that the 40% off sale was illusory.

In Veera v. Banana Republic, LLC, two sets of plaintiffs launched another attack on a 40% off sale, alleging it was misleading because the sale signs did not disclose that the discount did not apply to everything in the store. In each instance, plaintiffs claimed they were lured into the store by the 40% off signage, selected numerous items for purchase, only to be informed at checkout that the discount only applied to select items. Plaintiffs claimed they ended up buying non-sale items anyway to avoid embarrassment in front of their children and other customers waiting in line behind them, and out of frustration over wasted time spent in the store.

While the trial court granted summary judgment for defendant because plaintiffs knew that the items were not on sale and purchased them anyway, the court of appeal reversed, finding that whether the signage induced plaintiffs to enter the store – thereby creating a “bait and switch” scenario where plaintiffs were caught up in “the momentum to buy” – was an issue of fact for the jury.

The take away? Aside from the fact that it increasingly seems that no good deed – or offer of a bargain – will go unpunished in California, how often a retailer can offer sales and how little “momentum to buy” is required to establish reliance and a potential injury is less clear after these decisions.  The comparative price cases at least set forth a statutory standard for retailers. Knapp and Veera, on the other hand, put forward ambiguous and inconsistent standards that – as the dissent in Veera observed – “will invite exhaustive litigation” as plaintiffs continue to push the envelope against retailers.

First Proposition 65 BPA settlements hit

After months of speculation about the first BPA settlement reformulation standards, we have our first clue: 1,000 parts per million with an option to warn.

Serial polycarbonate drinking glass user Anthony Ferreiro resolved his allegations of BPA exposure without a warning from polycarbonate drinkware through two out-of-court settlements (1) (2), which recently became available on the California Attorney General Proposition 65 website. Both settlements apply to polycarbonate drinkware and provide an option for a 1,000 ppm reformulation standard (using the test method ATS 367 Rev) or a standard Proposition 65 warning for reproductive toxins.


We caution that because these are out-of-court settlements and only involve one Proposition 65 plaintiff group, we do not yet know whether it will become the de facto compliance limit for BPA. We have no way of knowing whether the 1,000 ppm level is supported by an exposure analysis, and CEH still has complaints pending for BPA exposure from polycarbonate drinkware and thermal receipt paper. Until we see what happens with those cases, it is prudent to maintain labeling and other BPA warnings.



California Court of Appeal refuses to honor jury trial waiver

In today’s business world, companies frequently enter into contractual provisions with their customers to limit jury trial exposure as part of managing future risks. However, if you think that agreeing that any dispute can be resolved without a jury trial is enough to insulate you and your business from this threat – THINK AGAIN.

Just last month, the California Court of Appeal overturned a contractual provision waiving the parties’ right to a jury trial, despite the fact that such waiver was fully enforceable under New York, the law agreed to in the contract’s choice of law section.

In Rincon EV Realty LLC et al. v. CP III Rincon Towers, Inc., et al., plaintiffs entered into a loan agreement for the purchase of real estate. Ultimately, the parties disagreed as to the terms of the loan maturity date, and plaintiffs filed suit in California state court alleging, among other things, breach of the loan agreement.

The initial loan agreement included a New York choice-of-law provision, specifying that plaintiffs waived any claim that California law (or the law of any state other than New York) govern their agreements. The agreement also expressly waived any parties’ right to seek a jury trial.

Nevertheless, plaintiffs filed a jury demand in California state court, which was challenged by the defendant. The trial court agreed with defendants’ motion to strike the jury demand based on the contractual agreement, but the Court of Appeal overturned this ruling, applying choice of law principles set forth in section 187 of the Restatement Second of Conflict Laws.

Although the Court of Appeal recognized that New York had a substantial interest in the transaction (plaintiffs’ principal place of business was in New York, the agreements were negotiated in New York, the loan was made, accepted, and the proceeds were distributed there),it held that the New York law on jury waivers was contrary to California’s fundamental policy of granting an “inviolate right” to a jury trial, waivable in only six specific ways. The Court then found that, California, the forum state, had a greater interest in having its law applied because of its interest in “enforcing its policy that only the Legislature can determine the permissible methods for waiving the right to jury trial….”

The take away from this decision is that jury trial waivers in contracts and agreements are likely unenforceable should a lawsuit be filed in California. Here, it didn’t matter that the relevant actions took place in New York, that the parties (arguably sophisticated) specifically agreed that New York choice of law should apply. Nor did it matter that the parties knew and understood that they were waiving the right to a jury trial. By simple virtue of the fact that the case was filed in California, a state deemed to have the greater interest in have its jury waiver laws applied, the parties’ express agreement was invalidated.

Bottom line: don’t get too comfortable that you’ve made an agreement to waive a jury trial in advance of litigation. If the lawsuit is filed in California, you may very well find yourself conducting voir dire.  It also remains to be seen whether this holding is expanded to find other “procedural” contract provisions unenforceable.

Chicago checkout bag tax set to begin

For retailers and other companies doing business in the Windy City, the Chicago Checkout Bag Tax Ordinance implements a $0.07 tax on “the retail sale or use” of paper or plastic checkout bags. It goes into effect on February 1, 2017. The new tax accompanies the repeal of the city’s reusable bag ordinance.

The tax operates like a typical product stewardship fee – wholesalers of paper or plastic checkout bags must collect the tax when supplying checkout bags to stores in the city and then pass the additional cost down the supply chain.  Wholesalers are responsible for remitting the tax to the city and filing required tax returns.  Retailers who sell checkout bags to customers must assess the tax at checkout and separately state it on the receipt with a line item “Checkout Bag Tax.” Retailers who give checkout bags to customers must either charge the tax and separately state it on the receipt, or not charge the tax and absorb it themselves.

The city has established a webpage with information on the tax.

Who’s covered

The tax applies to stores, which the ordinance defines as any person who “engages in the business of selling tangible personal property.” This means that anyone who sells a physical good is subject to the ordinance – unlike most existing checkout bag restrictions, Chicago’s is not limited only to grocery stores or drugstore chains.

What’s covered

The ordinance limits the definition of “checkout bags” to paper or plastic carryout bags “provided by a store to a customer for the purpose of carrying goods out of a store.” The ordinance exempts bags used inside the store to:

  • Package loose bulk items, including fruit, vegetables, nuts, grains, candy, cookies or small hardware items
  • Contain or wrap frozen foods, meat or fish
  • Contain or wrap flowers, potted plants or other damp items
  • Separate food or merchandise that could damage or contaminate other food or merchandise if placed together in a single bag
  • Contain unwrapped prepared foods or bakery goods.

The tax also exempts the following categories:

  • Prescription drug bags
  • Packages of garbage bags
  • Dine-in “doggie bags” or take-out restaurant bags for food or drink purchased by customers
  • Newspaper bags
  • Dry cleaning or garment bags
  • Plastic liners permanently fixed or intended to be permanently fixed to the inside of a bag
  • Plastic bags with a retail price of at least $0.50 each
  • Checkout bags used to carry items under governmental food assistance programs like SNAP.

Collecting the tax

Of the $0.07 collected, retail stores may keep $0.02, while the wholesaler must remit the remaining $0.05 cents to the city. If a wholesaler does not collect from retailers, retail stores must still collect the tax, with the added burden of remitting it to the city themselves. If the wholesaler sells checkout bags to a purchaser that is not a retail store, the wholesaler must still obtain the $0.07 tax, but it is eligible to retain $0.02 per bag as a commission.

For exempt bags, the city’s FAQ states that retailers should take credits on their payments to wholesalers on a going forward basis to account for exempt bags from the prior month, and in turn wholesalers should claim a credit when submitting their tax payments.

In an added wrinkle, the ordinance requires stores to ascertain their on-hand inventory of paper and plastic checkout bags by COB on Tuesday, January 31, 2017 and pay $0.05 for the existing inventory by mail, postmarked on or before Friday, March 3, 2017 (a late fee of $100 applies). Wholesalers and retailers must keep detailed records and make them available for inspection upon request.

Trump administration ices EPA formaldehyde in composite wood rule

Following up our recent post on EPA’s publication of its formaldehyde in composite wood rule, the Trump administration has delayed the rule’s effective date from February 10, 2017 to March 21, 2017. This delay is part of the administration’s “Regulatory Freeze Pending Review.” It is unclear what impact this freeze will have on the rule’s implementation, as the “manufactured by” date that triggers compliance is based on EPA publication (December 12, 2016), not the original effective date (February 10, 2017). But the “freeze” is intended to prevent implementation of EPA regulations without review, and directs agencies to:

…consider proposing for notice and comment a rule to delay the effective date for regulations beyond … [the current delay]. In cases where the effective date has been delayed in order to review questions of fact, law, or policy, you should consider potentially proposing further notice-and-comment rulemaking. Following the delay in effective date

  1. for those regulations that raise no substantial questions of law or policy, no further action needs to be taken; and
  2. for those regulations that raise substantial questions of law or policy, agencies should notify the OMB Director and take further appropriate action in consultation with the OMB Director.

We assume that until further notice, implementation is on hold. We will continue tracking this issue and providing updates as they develop.

EPA publishes formaldehyde in composite wood rule – Dec. 2017 compliance dates

EPA recently published its final rule restricting formaldehyde emissions from composite wood. The publication now triggers the rule’s effective date (Feb. 10, 2017) and the first compliance dates (December 12, 2017). The rule implements the formaldehyde standards found in Title VI of TSCA. EPA has expressly stated that the rule is “consistent, to the extent EPA deemed appropriate and practical considering TSCA Title VI, with the requirements currently in effect in California” under CARB’s ATCM Phase 2, but there are some differences that are bound to cause compliance headaches.

Emission Standards

EPA’s final rule contains the same emissions limits as CARB Phase 2:

  • 0.05 ppm – hardwood plywood (veneer and composite cores)
  • 0.09 ppm – particleboard
  • 0.11 ppm – medium density fiberboard
  • 0.13 ppm – thin medium density fiberboard.

Unlike CARB, the rule does not provide a blanket exemption for laminated products with a compliant core (although CARB is apparently reconsidering this). The rule exempts from testing and certification any laminated products made by attaching a wood/woody grass veneer with 1) a phenol-formaldehyde resin or 2) a resin formulated with no added formaldehyde as part of the resin cross-linking structure to a compliant core or platform. But it only delays the compliance date for other laminated products to Dec. 12, 2023, on the theory that the type of resin used to attach the veneers could increase formaldehyde emissions.

Third party certification and testing

The rule mirrors CARB compliance testing. Manufacturers must certify compliance through an EPA-approved third party testing lab. After certification, the third party certifier must test the products quarterly. Existing CARB-approved third party certifiers may certify to TSCA Title VI for up to two years. After that, EPA-approved certifiers must perform the certification.

Manufacturers must implement a quality control testing system for each product line with frequencies dependent upon the type of product and the production schedule (e.g., once-per-shift for MDF and particleboard to weekly for hardwood plywood depending upon the quantity produced). Like CARB, the rule adopts compliance test methods ASTM E1333-10 or ASTM D6007-02 for certification testing, and these same methods or their equivalents for quality control testing. The rule also requires testing of panels in unfinished condition, prior to application of a finishing or topcoat, no later than 30 calendar days after production.


The new rule requires that panels or bundles of panels sold or offered for sale in the United States be labeled with the following information, which is largely equivalent to CARB labeling except for the certification statement:

  • Panel producer’s name
  • Lot number
  • Third-party certifier number
  • A statement that the products are TSCA Title VI certified.

EPA has stated that “entities are free to combine the TSCA Title VI labels with CARB labels so long as all the required information is present, legible, in English and accurate.” This unfortunately means new labels need to comply with both rules.

Fabricators must label finished goods made with composite wood, or the boxes in which they are sold, with the following:

  • Fabricator’s name (or downstream entity)
  • Date of fabrication (in month/year format)
  • Statement that the finished goods are TSCA Title VI compliant.

Fabricator labels can identify the name of a responsible downstream entity if they obtain and maintain written consent. There is a de minimis exemption for finished goods – composite wood must not exceed 144 square inches based on the surface area of the largest face.

Like CARB, a manufacturer, distributor or importer must also include compliance information on the bill of lading or invoice.

Recordkeeping – manufacturers

Recordkeeping requirements are comparable to CARB, although records must be kept for three years instead of two.

Manufacturers must keep records of:

  • All quarterly emissions testing
  • All quality control testing
  • Production records, including product identification, manufacture dates, and tracking information
  • Records of changes to production methods that could impact compliance (e.g., resin use, composition, changes in press time)
  • Purchaser and transporter contact information
  • Corrective action/disposition of non-complying lots
  • Representative copies of labels.

Manufacturers must also provide their third party certifiers with monthly production data and maintain copies of these production reports for three years.

Recordkeeping – importers, fabricators, distributors, and retailers

Importers, fabricators, distributors and retailers must take “reasonable precautions” to ensure compliance, much like CARB. This means that each member of the supply chain must obtain bills of lading, invoices, or comparable documents that include written certification from the supplier that either the panels/products comply or were manufactured prior to the compliance deadline.

In addition, importers must be able to provide EPA with records showing the following within 30 days of a request:

  • The panel producer and date of production
  • The supplier (if different) and the date of purchase.

Importers must also maintain an import certification under TSCA section 13 for imports after Dec. 12, 2018.

Enforcement Mechanism

Failure to comply is a prohibited act under TSCA section 15, subject to civil penalties of up to $37,500 per day and criminal penalties of up to $50,000 per day. It is unclear how EPA will enforce the limits, as it has not released an enforcement document like CARB did with its “Standard Operating Procedure” that emphasizes sample deconstructive testing to determine compliance.

Compliance Dates

The rule establishes “manufactured by” dates for implementation that apply to both composite wood products and finished goods. The EPA rule does not contain the elaborate system of sell-through dates like the CARB rule. But it does prohibit stockpiling.

Because the definition of manufacture includes import, this is effectively an “imported-by” date for imported composite wood products. The dates for compliance are:

  • Composite wood products manufactured/imported before Dec. 12, 2017 are outside the rule.
    • These products can be incorporated into finished goods indefinitely, as long as they are not stockpiled.
    • Retailers, fabricators, and distributors can continue to buy and sell these products, as long as they are not stockpiled.
  • Laminated products manufactured/imported before Dec. 12, 2023 are not subject to the emissions standards.
    • But, laminated products manufactured/imported after Dec. 12, 2017 must be made from compliant composite wood cores.

Entities must maintain records to demonstrate manufactured-by dates.  EPA’s rule document contains a complete list of compliance date, but it is not particularly user-friendly:

EPA Chart

Clamshell compliance: California’s Rigid Plastic Packaging Container law

California remains on the forefront of sustainability and recycling requirements. A key restriction in California is the Rigid Plastic Packaging Container Law, which targets hard plastic product packaging (namely “clamshells”).  The law requires that product manufacturers reduce waste from covered packaging through several methods.

The California Department of Resources Recycling and Recovery, referred to as CalRecycle, administers the law and enforces its requirements. Non-compliance can subject a manufacturer to up to $100,000 in fines per year.

What the law covers

The law applies to packaging that is:

  • Made entirely of plastic (except for incidental portions of the packaging);
  • Inflexible in shape or form;
  • Capable of holding between eight ounces and five gallons of product;
  • Capable of at least one closure (i.e., being sealed shut during packaging).

These criteria exclude, for example, blister packs, plastic bags, plastic sleeves covering products (like an umbrella cover), and very small or very large product packaging.

The law also exempts specific types of products, including packaged hazardous material subject to US Department of Transportation Regulations, and foods, drugs, and cosmetics.

Who the law covers

The law applies to “product manufacturers,” defined as the company that “through its own action or through contract or control, is primarily responsible for causing a product to be produced…”  CalRecycle has issued regulations to clarify this definition, applying the following hierarchy for determining the manufacturer:

  • The brand holder;
  • The company with “control or influence over the design of the product”; and
  • The company with “primary control or influence over the design specifications” of the container.

Based on these criteria, it is likely that it many situations, the actual product manufacturer is not responsible for compliance – instead, it will fall to the private labeler (even if a manufacturer is supplying the same product to multiple private labelers).

How to comply

The law requires that manufacturers reduce waste from packaging through any of three methods:

  • Use of post-consumer recycled material in the packaging (at least 25% of the package);
  • Source reduction (reducing the size/amount of packaging by 10% over prior iterations of the same packaging); and
  • Packaging products in reusable containers (refillable at least five times).

Product manufacturers must be able to substantiate compliance with data on the packaging used. The regulations implementing the law provide detailed requirements for doing so.

The RPPC’s unusual enforcement approach

The law’s enforcement approach is highly unusual: CalRecycle annually audits randomly selected manufacturers, requiring them to certify compliance for the coming year. Here’s how the process works:

  • First, CalRecycle notifies a manufacturer that the law applies to it. After notification, the manufacturer must register with CalReycle within 90 days. Note that the law requires compliance whether a manufacturer has received this notification or has registered – but if a manufacturer has not received this notification and registered, it cannot be selected for a compliance audit.
  • Second, CalRecycle randomly selects several manufacturers from the pool of registered entities and provides notice that they may be required to certify compliance. CalRecycle sends these notices out one year in advance of the audit year (by January 31st of the preceding year).  Selected manufacturers are in the “Precertfication Phase,” and must acknowledge receipt of the the Precertification Notice within 90 days.
  • Third, from the pool of precertification manufacturers, CalRecycle selects the manufacturers it will audit. CalRecycle provides the lucky winners with notice of selection by March 31st of the year preceding the audit year.
  • Finally, audited manufacturers must certify compliance by April 1 of the year following the audit year. The regulations provided detailed information for calculating compliance for each of the compliance methods.


While the phased nature of the certification process allows for time to come into compliance, a company failing to meet any deadlines, or ultimately being out of compliance, will be fined.  The maximum amount a company can be fined is $100,000 in a calendar year.  Companies have been fined tens of thousands of dollars for missing deadlines or failing to comply, and some have been fined multiple times.

Drone requirements continue to evolve

Back in 2015, the FAA promulgated various rules and regulations regarding the use of drones, which included a requirement to register all such aircraft. The FAA has subsequently finalized its rule for Small Unmanned Aircraft Systems, which took effect on August 29, 2016. The new rule offers safety regulations and limitations for unmanned drones weighing less than 55 pounds that conduct “non-hobbyist operations.”

This is particularly relevant because the past year has seen the rapid rise of unmanned aircraft, and various companies are experimenting with the use of drones in their commercial ventures.

This post provides a quick overview of the new rules and regulations relating to drones for commercial and recreational use. Keep an eye on this space for updates and further insight as FAA continues to implement the new rule.

Operational Requirements

The FAA’s final rule implements safety regulations for non-recreational use of unmanned aircraft weighing less than 55 pounds. Users who want to fly for commercial or other business uses must now comply with the following:

  • Weight limit of 55 pounds (inclusive of cargo)
  • Yield to other aircraft
  • Maximum limits on speed and altitude
  • Hazardous materials prohibited
  • Must remain within visual sight of the pilot – pilot cannot be mobile
  • No operation over individuals not directly participating in the flight
  • Only operated in daylight or twilight (if the drone has anti-collision lighting)
  • Flight may not cross state boundaries (with certain exceptions)

Pilot Certification

Drone operators must have a remote pilot airman certificate or be under the direct supervision of one who holds that certificate. To qualify for the certificate, a person must be at least 16 years old and pass a knowledge test and other training requirements.

FAA has issued a summary of the guidelines that is helpful.

Waiver Process

FAA also plans to implement a waiver process for some restrictions if the operator proves the proposed flight will be conducted safely under a waiver. The new FAA rule also allows drones to be legally used for commercial purposes without an approval process if the drones are operated by specified certified pilots in compliance with safety requirements. FAA expects to roll out a waiver and approval process in the coming months.

Drones for Recreational Use

The FAA’s new rule does not apply to drones flown as a hobby or for recreational purposes weighing between 0.55 and 55 pounds, so long as the drone is registered and flown in accordance with the Special Rule for Model Aircraft. Hobby or recreational drones weighing less than 0.55 pounds need not be registered. The FAA has interpreted “model aircraft” to exclude both commercial operations and flights “in furtherance of a business, or incidental to a person’s business.”

Congress expressly limits FAA’s authority over model aircraft so long as:

  • The aircraft is flown strictly for hobby or recreational use;
  • The aircraft is operated in accordance within specified safety guidelines;
  • The aircraft is no more than 55 pounds, unless otherwise certified;
  • When operated, the aircraft does not interfere with manned aircraft; and
  • When flown within 5 miles of an airport, prior notice is given to the airport operator and air control tower.

Second Circuit guts jury verdict with post-trial decertification

Given the low probability that a class action will go to trial and the high probability that a settlement favorable to plaintiffs and their attorneys will be reached after class certification, there is a consistent “race to certification” in many consumer class action matters. The plaintiffs’ bar frequently frames claims with an eye towards meeting Rule 23 requirements, with little regard to whether or not the evidence actually exists to prove the merits of the claims.

While many defendants are disheartened when a class is certified, a recent decision out of the Second Circuit reminds that certification is not the coup de gras of any defense, and plaintiffs are always at risk (even after trial), of losing this status.

In Mazzei v. The Money Store, plaintiff Joseph Mazzei brought claims against The Money Store (a loan servicer and mortgage lender), alleging breach of contract for the assessment of late fees after his defaulted loan was accelerated (i.e., the entire sum of principal and interest was due). Mazzei argued that “post-acceleration” late fees violated the terms of the mortgage loan.

Based on these claims, Mazzei sought and obtained certification of a national class of borrowers whose loans were either owned or serviced by The Money Store. He prevailed on his late fee claims at a jury trial, obtaining a class award of approximately $32 million plus prejudgment interest. However, after the jury verdict and before entry of final judgment, The Money Store successfully moved to decertify the class, on the grounds that Mazzei’s failure to prove privity of contract for absent class members failed to meet Rule 23 requirements of typicality and predominance. This ruling left Mazzei, although successful at trial, an award of only $133.80.

Unsurprisingly, Mazzei appealed the decertification, arguing that 1) decertification is unavailable after a jury trial, 2) decertification findings were incompatible with the Seventh Amendment, and 3) Rule 23 elements were satisfied. The Second Circuit ruled against Mazzei on all three grounds.

First, the Court found that decertification could be granted at any time prior to final judgment. The panel cited the “affirmative duty” of the district court to monitor its class decisions because the results of class proceedings are “binding on absent class members.” Rule 23, the Court held, not only authorized decertification after trial, but the process was “corollary” to the rule’s purpose.

The Court was also not persuaded that decertification after trial impugned any parties’ Seventh Amendment right to a jury trial. Mazzei was able to present his claims to the jury. And absent class members’ right to a jury trial was not impaired because they were still able to file individual claims, since the statute of limitations on any action was tolled up until decertification.

Finally, decertification was justified because the district court had the power to determine that the jury’s factual findings supporting certification were “seriously erroneous,” a “miscarriage of justice,” or “egregious.” The Second Circuit panel agreed with the district court’s assessment that Mazzei was not typical of class members whose loans were serviced (not owned) by The Money Store, and common issues did not predominate because fact-finders would have to look at every class member’s loan documents to determine whether there was privity of contract. Based on the lack of classwide evidence of privity of contract, Rule 23 was not satisfied.

The Court further refused to create subclasses of individuals whose loans were owned by The Money Store, and those whose loans were merely serviced by the company. There was no evidence in the record to enable the Court to determine what types of loans each of the class members had, making subclasses impossible to determine.

This decision is a powerful reminder that a class can be decertified at any stage in a litigation, enabling defendants to snatch victory from the jaws of defeat after a disfavorable jury verdict. Hopefully, plaintiffs will become more thoughtful about their cases, with the realization that making factual allegations to get past class certification will do them no good if they can’t back them up.

New PCI requirements for retailers

For retailers that accept credit or debit cards and use service providers, a new version of the PCI Data Security Standards (PCI DSS v3.2) will impose new requirements as of November 1, 2016.

The Payment Card Industry (PCI) Security Standards Council issued “clarifications” and “evolving requirements” in the new version. Clarifications are changes to ensure “that concise wording in the standard portrays the desired intent of the requirements.” Evolving requirements aim to “ensure that the standards are up to date with emerging threats and changes in the market.”  The Council also issued guidance as part of the new standards.

Altogether, there are 44 clarifications and 12 evolving requirements. Although every change can be  important, this post focuses on the 12 evolving requirements.

November 1, 2016 Compliance Date

  • Section 3: adopts a “minimum necessary” standard for Permanent Account Number (PAN) display. The display would usually be limited to only the last 4 digits of the PAN or, if a bank identification number is needed, only the first 6 digits of the PAN.
  • Section 8.3: requires multi-factor authentication for all access that is “individual non-console administrator access” and all remote access to the cardholder data environment. Note that the guidance specifies that multi-factor authorization is not required at both the system level and application level for any particular system component.
  • Section 8.3.2: requires multi-factor authentication for “all remote network access originating from outside the entity’s network [both user and administrator, and including third party access for support or maintenance].” Per the guidance, this requirement applies to any remote access “when that remote access could lead to access to the cardholder data environment.”  The guidance also recommends (but does not require) multi-factor authentication for all remote access to the entity’s network.

January 31, 2018 Compliance Date

While these new requirements have a long lead time, the new standards describe them as “best practices” until the compliance date.

  • Section 3.5.1: requires service providers to maintain a documented description of their cryptographic architecture. This documentation includes details of algorithms, protocols, and keys (key strength, expiry date, and usage). It also includes hardware security modules and secure cryptographic devices for key management. Service providers must maintain current documentation to help service providers detect missing keys and identify unauthenticated additions to the cryptographic architecture.
  • Section 6.4.6: mandates updated documentation, including network diagrams, system configurations, and vulnerability scanning for any new or changed systems and networks.
  • Section 8.3.1: requires multi-factor authentication for administrator non-console access into the cardholder data environment. Per the guidance, this requirement does not apply to application or system accounts performing automated functions.
  • Section 10.8: requires service providers to establish processes for timely detection and reporting of failures of critical security control systems, such as firewalls, anti-virus systems, physical access controls, and audit logging.
  • Section 10.8.1: requires service providers to respond in a timely fashion to failures of the critical security control systems.
  • Section requires service providers that elect to use segmentation to test every six months and after changes to segmentation controls/methods. The tests are reviews of the twice-yearly (at least) penetration tests.
  • Section 12.4.1: requires service provider executive management to establish responsibility for protection of cardholder data and a PCI DSS compliance program, including a charter and communication to executive management.
  • Section 12.11: requires service providers to perform reviews (at least quarterly) to confirm that personnel are following security policies and operational procedures. These reviews must include:  (1) daily log reviews; (2) firewall rule-set reviews; (3) applying configuration standards to new systems; (4) responding to security alerts; and (5) change management processes.  Testing procedures include interviews of responsible personnel.
  • Section 12.11.1: requires service providers to document the quarterly review process in Section 12.11, including the results of the reviews and sign-off by the personnel assigned responsibility for the PCI DSS compliance program.