Minnesota becomes first state to make core PCI requirement a law
Texas legislators have been considering a similar move
May 23, 2007 12:00 PM ETComputerworld - Minnesota this week became the first state in the county to turn a core requirement of the Payment Card Industry (PCI) data security standard into a law for all companies handling credit and debit card data.
Under the state's new Plastic Card Security Act, any company that suffers a data breach and is found to have been storing prohibited card data on its systems will have to reimburse banks and credit unions the costs associated with blocking and reissuing cards. Such companies could also be subject to private action brought by individuals who might have been affected by a violation of the state law. Companies handling fewer than 20,000 payment card transactions per year are not liable under the law.
The act was signed into law by Minnesota Gov. Tim Pawlenty on Monday. It had earlier passed the Minnesota Senate by a margin of 63-1 and the House by a 122-4 vote.
PCI is a data security standard developed by the major credit card companies, including MasterCard International Inc., Visa International and American Express Co. Under the standard, all entities accepting credit and debit card transactions are required by contract to implement a set of 12 security controls to protect payment card data against compromise. PCI specifically prohibits companies from storing card data such as the full contents of the magnetic stripe on the back of each card or the three- and four-digit verification codes on their systems.
Minnesota is the first state to codify the PCI requirement into law. According to the text of the bill, a company is in violation of the law if it or its service provider stores the prohibited data once a transaction is completed. In the case of personal identification number debit transactions, the PIN block data can't be stored beyond 48 hours after the transaction has been completed.
The law is important because the greatest risk to card holder data comes from the continued practice by some retailers of storing this information on their systems, said Mara Humphrey, director of governmental affairs at the Minnesota Credit Union Network (MnCUN), one of the major backers of the law.
"PCI rules make it explicitly clear that you are not supposed to be storing it," Humphrey said. The law formally reinforces that requirement for merchants, she said.
MnCUN's interest in getting the law passed was driven by the increasing costs to its nearly 160 credit union members in the state as a result of merchant data breaches, she said. "We have been hearing from credit unions who were very frustrated with the number of data breaches and the number of times they've had to reissue cards," Humphrey said. "They're frustrated that the onus has entirely been on them and not on the merchant."
Minnesota
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

