Texas mulls bill that would make PCI requirements a state law

Computerworld - Retailers and other entities accepting credit and debit card transactions in Texas may soon have a powerful new incentive for complying with the Payment Card Industry (PCI) data security standard mandated by the major credit card companies.

The state's House of Representatives last week voted 139-0 in favor of a bill that would formally codify PCI requirements into a state law that merchants would be obliged to comply with if passed. Under HB 3222 a breached entity will have to reimburse banks and credit unions the cost associated with blocking and reissuing cards if the merchant was not PCI compliant at the time of the compromise. It also provides a safe harbor against such liability for companies who are PCI compliant and get breached. The proposal needs to win approval in the state Senate before it becomes law.

The data protection bill (HB 3222) was sponsored by Rep. Gary Elkins (R-Houston), vice-chairman of the Texas Business & Industry Committee. It is designed to get merchants to implement proper controls for securing personal customer data.

PCI is a data security standard mandated by the major credit card companies, including Visa International, Mastercard Worldwide, Discover and American Express. It has emerged as private industry's most visible effort yet to self-regulate amid growing consumer and congressional concerns about retail security breaches. The standard mandates 12 security controls that all entities accepting payment cards are required to implement. Companies in violation of PCI rules can be fined and even lose the privilege of accepting payment card transactions.

According to the language of the bill, "A business that, in the regular course of business, collects, maintains, or stores sensitive personal information in connection with an access device must comply with payment card industry data security standards." The bill would allow a financial institution in the state to request a breached entity to provide certification of its compliance with PCI specified controls. HB 3222 would require the certification to be issued by a PCI-approved auditor no earlier than 90-days before the breach.

The bill should spur broader adoption of PCI security controls, said Winter Prosapio, communications director for the Texas Credit Union League, one of the biggest supporters of the bill. It also provides for a way for credit unions to recover the increasing costs associated with blocking and reissuing cards after a retail security breach, she said. On average, credit unions are finding themselves spending nearly $5 for every card they have to replace, she said. And sometimes they have to do so more than two or three times every year, Prosapio added.