Minnesota becomes first state to make core PCI requirement a law

Texas legislators have been considering a similar move

Minnesota this week became the first state in the county to turn a core requirement of the Payment Card Industry (PCI) data security standard into a law for all companies handling credit and debit card data.

Under the state's new Plastic Card Security Act, any company that suffers a data breach and is found to have been storing prohibited card data on its systems will have to reimburse banks and credit unions the costs associated with blocking and reissuing cards. Such companies could also be subject to private action brought by individuals who might have been affected by a violation of the state law. Companies handling fewer than 20,000 payment card transactions per year are not liable under the law.

The act was signed into law by Minnesota Gov. Tim Pawlenty on Monday. It had earlier passed the Minnesota Senate by a margin of 63-1 and the House by a 122-4 vote.

PCI is a data security standard developed by the major credit card companies, including MasterCard International Inc., Visa International and American Express Co. Under the standard, all entities accepting credit and debit card transactions are required by contract to implement a set of 12 security controls to protect payment card data against compromise. PCI specifically prohibits companies from storing card data such as the full contents of the magnetic stripe on the back of each card or the three- and four-digit verification codes on their systems.

Minnesota is the first state to codify the PCI requirement into law. According to the text of the bill, a company is in violation of the law if it or its service provider stores the prohibited data once a transaction is completed. In the case of personal identification number debit transactions, the PIN block data can't be stored beyond 48 hours after the transaction has been completed.

The law is important because the greatest risk to card holder data comes from the continued practice by some retailers of storing this information on their systems, said Mara Humphrey, director of governmental affairs at the Minnesota Credit Union Network (MnCUN), one of the major backers of the law.

"PCI rules make it explicitly clear that you are not supposed to be storing it," Humphrey said. The law formally reinforces that requirement for merchants, she said.

MnCUN's interest in getting the law passed was driven by the increasing costs to its nearly 160 credit union members in the state as a result of merchant data breaches, she said. "We have been hearing from credit unions who were very frustrated with the number of data breaches and the number of times they've had to reissue cards," Humphrey said. "They're frustrated that the onus has entirely been on them and not on the merchant."

The Minnesota bill is similar to one that was proposed in Texas recently. That bill passed 139-0 in the state's House of Representatives in early May but failed to make it through the Texas Senate because of a lack of time. The bill went into the state Senate's Business and Commerce Committee on the last day the committee met last week.

If it had become law, the measure would have set PCI requirements that merchants would have had to comply with. As with the Minnesota law, Texas HB 3222 would have held breached entities financially liable to credit unions and banks for the costs associated with a data loss. It would have also provided a safe harbor against such liability for companies that complied with PCI requirements at the time of their getting breached.

"We needed about two more weeks to address concerns" related to the bill in the Senate, said Winter Prosapio, communications director at the Texas Credit Union League, one of the biggest supporters of the measure. "We did not have that opportunity. We got into the Senate without having the time to go through the bill and explain how PCI works," she said.

Looking ahead, the Texas Credit Union League will continue to lobby for passage of similar laws at the national level, Prosapio said. "With every breach, there's an increased urgency at the federal level to make sure that merchants are adhering to their agreements" under PCI, she said.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon