Minnesota Gives PCI Rules a Legal Standing

New state law will penalize merchants that store card data if breaches occur

Minnesota last week became the first state in the country to turn a core requirement of the Payment Card Industry (PCI) Data Security Standard into a law.

Under the states Plastic Card Security Act, companies that suffer data breaches and are found to have been storing prohibited credit or debit card data on their systems will have to reimburse banks and credit unions for the costs of blocking and reissuing cards.

They could also be subject to lawsuits filed by individuals claiming to have been affected by violations of the law, which was signed by Gov. Tim Pawlenty after previously being approved by overwhelming margins in the Minnesota House and Senate. The law applies to all companies that process more than 20,000 card transactions annually.

The PCI standard, which was created by the major credit card companies, specifically prohibits retailers and other merchants from storing card data, such as the three- and four-digit verification codes on the back of cards and the full contents of a cards magnetic stripe.

Nevertheless, some retailers continue to keep card data on their systems, a practice that poses the greatest of any security risks to the information, said Mara Humphrey, director of governmental affairs at the Minnesota Credit Union Network in St. Paul. PCI rules make it explicitly clear that you are not supposed to be storing it, Humphrey said, adding that the new state law formally reinforces that requirement.

The credit union association was a major supporter of the legislation. Humphrey said the groups interest in the measure was driven by the increasing costs faced by its nearly 160 members as a result of data breaches at merchants. Weve been hearing from credit unions who were very frustrated with the number of data breaches and the number of times theyve had to reissue cards, she said. Theyre frustrated that the onus has entirely been on them and not on the merchant. No Time in Texas

The Minnesota law is similar to one that was proposed in Texas this year. The Texas House of Representatives passed that bill by a vote of 139-0 early this month, but the proposal failed to make it through the Texas Senate because there wasnt enough time before todays scheduled ending of the states regular biennial legislative session.

We needed about two more weeks to address concerns about the bill, said Winter Prosapio, communications director at the Texas Credit Union League. We did not have that opportunity. We got into the Senate without having the time to go through the bill and explain how PCI works.

The next legislative session in Texas isnt scheduled to start until January 2009. But in the meantime, the Texas Credit Union League will lobby for passage of national laws related to the PCI standard, Prosapio said. With every breach, she added, theres an increased urgency at the federal level to make sure that merchants are adhering to their agreements [under PCI].

But Gartner Inc. analyst Avivah Litan expressed concern about the fairness of Minnesotas law, pointing to the fact that many packaged payment applications store personal identification numbers and other prohibited card information by default. Often, companies are storing card data without even realizing it, Litan said.

Join the discussion
Be the first to comment on this article. Our Commenting Policies