Minnesota becomes first state to make core PCI requirement a law

Computerworld - Minnesota this week became the first state in the county to turn a core requirement of the Payment Card Industry (PCI) data security standard into a law for all companies handling credit and debit card data.

Under the state's new Plastic Card Security Act, any company that suffers a data breach and is found to have been storing prohibited card data on its systems will have to reimburse banks and credit unions the costs associated with blocking and reissuing cards. Such companies could also be subject to private action brought by individuals who might have been affected by a violation of the state law. Companies handling fewer than 20,000 payment card transactions per year are not liable under the law.

The act was signed into law by Minnesota Gov. Tim Pawlenty on Monday. It had earlier passed the Minnesota Senate by a margin of 63-1 and the House by a 122-4 vote.

PCI is a data security standard developed by the major credit card companies, including MasterCard International Inc., Visa International and American Express Co. Under the standard, all entities accepting credit and debit card transactions are required by contract to implement a set of 12 security controls to protect payment card data against compromise. PCI specifically prohibits companies from storing card data such as the full contents of the magnetic stripe on the back of each card or the three- and four-digit verification codes on their systems.

Minnesota is the first state to codify the PCI requirement into law. According to the text of the bill, a company is in violation of the law if it or its service provider stores the prohibited data once a transaction is completed. In the case of personal identification number debit transactions, the PIN block data can't be stored beyond 48 hours after the transaction has been completed.

The law is important because the greatest risk to card holder data comes from the continued practice by some retailers of storing this information on their systems, said Mara Humphrey, director of governmental affairs at the Minnesota Credit Union Network (MnCUN), one of the major backers of the law.

"PCI rules make it explicitly clear that you are not supposed to be storing it," Humphrey said. The law formally reinforces that requirement for merchants, she said.

MnCUN's interest in getting the law passed was driven by the increasing costs to its nearly 160 credit union members in the state as a result of merchant data breaches, she said. "We have been hearing from credit unions who were very frustrated with the number of data breaches and the number of times they've had to reissue cards," Humphrey said. "They're frustrated that the onus has entirely been on them and not on the merchant."