California considers tougher law on securing payment card data

Computerworld - California legislators are scheduled to hold a hearing today on a proposed bill that would create new data security and breach notification requirements for all organizations processing credit and debit card transactions in the state.

The bill, officially known as AB 779, is being sponsored by the California Credit Union League (CCUL). It was introduced in February by State Assemblyman Dave Jones (D-Sacramento) and has been amended three times since then, most recently on May 14.

If passed, the measure would explicitly prohibit retailers and other merchants from storing certain specific types of authentication data taken from the magnetic stripes on the back of credit and debit cards. This information includes card verification value and  personal identification numbers, as well as encrypted PIN block data and payment verification codes.

The legislation would also require merchants to use so-called strong encryption routines and access controls while storing or transmitting other types of data, such as card numbers and the names of account holders.

In addition, the bill would mandate that a breached entity reimburse affected banks and credit unions for all the costs they incur to alert customers and reissue cards. And AB 779 would modify existing state requirements on providing notifications of security breaches. Retailers would be forced to disclose more details about breaches, including a description of the categories of personal data that might have been compromised. They also would have to set up toll-free numbers for people to get more information.

The bill is scheduled to be discussed today before the State Assembly's Committee on Appropriations. If approved by the committee, it would go to the full assembly for a vote before June 8. The measure would also need to be approved by the state Senate and signed by Gov. Arnold Schwarzenegger before it could become law.

Driving the need for such legislation are the burgeoning costs that credit unions have to bear as a result of retail security breaches, said Keri Bailey, a Sacramento-based lobbyist for the CCUL. Large and midsize credit unions can easily end up shelling out between $500,000 and $750,000 annually in breach notification and card replacement costs, Bailey said. Those figures don't include any fraud-related charges that might stem from breaches, she noted.