Texas mulls bill that would make PCI requirements a state law

Retailers that accept credit cards would be financially liable for data breach costs

Retailers and other entities accepting credit and debit card transactions in Texas may soon have a powerful new incentive for complying with the Payment Card Industry (PCI) data security standard mandated by the major credit card companies.

The state's House of Representatives last week voted 139-0 in favor of a bill that would formally codify PCI requirements into a state law that merchants would be obliged to comply with if passed. Under HB 3222 a breached entity will have to reimburse banks and credit unions the cost associated with blocking and reissuing cards if the merchant was not PCI compliant at the time of the compromise. It also provides a safe harbor against such liability for companies who are PCI compliant and get breached. The proposal needs to win approval in the state Senate before it becomes law.

The data protection bill (HB 3222) was sponsored by Rep. Gary Elkins (R-Houston), vice-chairman of the Texas Business & Industry Committee. It is designed to get merchants to implement proper controls for securing personal customer data.

PCI is a data security standard mandated by the major credit card companies, including Visa International, Mastercard Worldwide, Discover and American Express. It has emerged as private industry's most visible effort yet to self-regulate amid growing consumer and congressional concerns about retail security breaches. The standard mandates 12 security controls that all entities accepting payment cards are required to implement. Companies in violation of PCI rules can be fined and even lose the privilege of accepting payment card transactions.

According to the language of the bill, "A business that, in the regular course of business, collects, maintains, or stores sensitive personal information in connection with an access device must comply with payment card industry data security standards." The bill would allow a financial institution in the state to request a breached entity to provide certification of its compliance with PCI specified controls. HB 3222 would require the certification to be issued by a PCI-approved auditor no earlier than 90-days before the breach.

The bill should spur broader adoption of PCI security controls, said Winter Prosapio, communications director for the Texas Credit Union League, one of the biggest supporters of the bill. It also provides for a way for credit unions to recover the increasing costs associated with blocking and reissuing cards after a retail security breach, she said. On average, credit unions are finding themselves spending nearly $5 for every card they have to replace, she said. And sometimes they have to do so more than two or three times every year, Prosapio added.

For a lot of credit unions, such breaches also represent a "reputation risk," she said. "People expect their information to be held safe by their credit unions, but we don't have any control over it if the merchant leaves their gates wide open," she said.

The provisions in the proposed Texas bill will add to the increasing financial burdens that retailers already have to bear in data breach situations, said Avivah Litan, an analyst with Stamford, Conn.-based Gartner Inc.

"Frankly, the banks are shifting too [much] liability to the merchants," Litan said. Entities that accept payment cards already pay for fraud-related costs via the so-called interchange fees they must pay upfront to credit card companies and banks. Under PCI, merchants are also contractually required to pay a substantial amount of the costs resulting from a data breach, including those associated with fraudulent card use.

"In every single instance, the retailer already has to pay for the direct costs of the fraud. And now banks are trying to shift the customer service costs to the retailer as well," she said. "Retailers are being pinned against the wall, frankly," Litan said. "If laws like this take affect, it could have serious consequences on a retailer's balance sheets."

Texas is not the only state eyeing such a bill. In Massachusetts, legislation proposed earlier this year by state Rep. Michael Costello would hold retailers financially liable to banks for the costs of a credit card security breach.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon