IAPP-GDPR Web Banners-300x250-FINAL

Heidi C. Salow, Jim Halpert and David Lieber

Merchants striving to comply with the Payment Card Industry Data Security Standards (PCI DSS) now have additional reason to focus on the security of payment card data. In late May, Minnesota became the first state to hold merchants strictly liable for costs incurred by financial institutions who assist consumers following the discovery of a security breach.

This new Minnesota security breach law codifies one aspect of the PCI DSS by prohibiting entities conducting business in Minnesota from retaining credit or debit card security code data, PIN verification codes, or the full contents of any track of magnetic stripe data for more than 48 hours after the authorization of a transaction. The credit and debit card data retention provisions became effective on August 1, 2007. The retailer liability provisions become effective on August 1, 2008.

Similar Data Security Measures Are Being Championed in Other States

Similar measures are being championed by community banks and credit unions in a variety of other states. They complain that they incur significant costs when they have to close customer credit and debit card accounts in the wake of security breaches.

On June 5, the California Assembly passed by a 58-2 vote a more far-reaching codification of several PCI requirements. The measure passed despite broad industry opposition and is now pending in the California Senate. Similar legislation recently was introduced in New Jersey. A bill to codify all the PCI Rules died in the Texas Senate last month after passing the Assembly, but will likely be considered again in Texas next year. In Congress, House Financial Services Chairman Barney Frank, D-Mass., has expressed support for the idea of holding merchants liable for expenses financial institutions incur responding to security breaches.

Merchants Face Potential Strict Liability for Costs Associated With Security Breaches

Under the new Minnesota law, financial institutions that issue payment cards may sue merchants conducting business in Minnesota for reimbursement associated with undertaking reasonable actions in the wake of data security breaches involving their payment cards that result in the loss of computerized personal data. Such actions include, but are not limited to, the following:

  • Cancelling existing debit or credit cards and the replacement of such cards.
  • Closing any financial accounts affected by the breach, as well as actions undertaken to stop payments or block transactions with respect to the financial accounts.
  • Opening or reopening any financial accounts affected by the security breach.
  • Issuing refunds or credits to cardholders to cover the costs of unauthorized transactions related to the breach.
  • Notifying cardholders affected by the breach.

This financial reimbursement provision imposes a strict liability standard on merchants — i.e., merchants' liability is not limited to security breaches attributable to negligence or poor information security practices. Thus, a merchant who suffers a security breach can apparently be held strictly liable for the costs incurred by financial institutions, even when the merchant was in full compliance with the PCI DSS requirements or industry best practices for data security.

Law Codifies One of the PCI Data Security Standards
The PCI DSS were developed by the major payment card networks to create uniform data security standards for payment card data. The standards — which apply to the entire system of merchants, acquiring banks, and credit card associations that are members of the PCI Security Standards Council — regulate the storage, processing, or transmission of a credit or debit card number. Version 1.0 of the PCI DSS went into effect on June 30, 2005; a revised version (1.1) was released in September 2006 principally because of confusion regarding the requirements and deadlines in the original version.

The PCI DSS already impose rigorous requirements upon all businesses that accept credit or debit cards for payment. The standards set forth detailed technical mandates for compliance, which are divided into twelve broader requirements.

In general, merchants and service providers are required to build and maintain a secure network, protect cardholder data while storing it, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. Many businesses are still not in full compliance with the PCI DSS, although the original version was issued in December 2004.

One of the PCI standards prohibits the storage of sensitive authentication data, such as magnetic stripe data, credit card security code numbers, or debit card PIN authentication numbers. The Minnesota law essentially codifies this prohibition by requiring the destruction of such data within 48 hours after a transaction is authorized.
Penalties for Non-Compliance
As a general rule, the PCI DSS assumes that merchants are in the best position to safeguard credit card data because they have a direct relationship with the customer. Accordingly, compliance requirements, dates for compliance, and penalties are set by individual credit card issuers. Financial institutions play an active role in monitoring PCI DSS compliance and reporting non-compliant merchants. For example, a financial institution can report a non-compliant merchant to a list which is available to other financial institutions that issue credit or debit cards. A merchant on such a list will find it difficult to process credit card transactions.

Additional penalties can be imposed if there is a breach of credit card data. For example, if a merchant suffers a credit card data breach and the merchant was not in compliance with the PCI DSS at the time of the breach, an affected credit card company may impose a fine of as much as $500,000 per incident plus payment of costs associated with the breach. Other fines and restrictions may be imposed, as well.

What Can You Do As a Merchant or Service Provider?

  • Review the progress of your PCI compliance efforts and ensure that your information security program adequately addresses PCI compliance requirements, as well as the requirements of new statutes such as the Minnesota law. Consider engaging your in-house or external counsel to assist with the review of these efforts so as to preserve attorney-client privilege for documents created during the compliance review process.
  • Ensure that your PCI compliance team task force has adequate resources and buy-in throughout your organization.
  • Determine specifically whether you destroy magnetic stripe, credit card security code, and PIN authentication numbers, as required by Minnesota's new law.
  • Pay particular attention to the security of payment card data in your possession, to reduce the likelihood of a security breach involving such data and to mitigate those risks.
  • Review your contractual relationships with third parties with which you share, or to which you grant access to, your payment card data, so as to properly allocate the risks and liabilities associated with such a breach in light of this new legislation.

Heidi C. Salow is Of Counsel with DLA Piper US LLP. She handles cutting-edge issues involving privacy and data security, intellectual property, and e-commerce and has been involved in legislative advocacy, commercial transactions, regulatory compliance and litigation, and identifies successful legal solutions for high-tech businesses. She is an expert on a wide-range of federal and state privacy, data security and e-commerce laws. Prior to joining DLA Piper, Salow was Senior counsel and Director for Sprint Nextel Corporation, where she handled a wide range of privacy, data security, mobile content, and e-commerce matters. She can be reached at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


Jim Halpert is co-chair of the Communications, E-Commerce and Privacy practice of DLA Piper LLP, a global law firm. He practices in the firm's DC office. Halpert counsels software developers, e-commerce companies, service providers, financial services companies, IT and content companies on a broad range of legal issues relating to new technologies, including Internet gambling, privacy, spyware/adware, cyber-security, government surveillance standards, consumer protection, intellectual property protection, spam, Internet jurisdiction, online contract formation, content regulation and First Amendment law. He may be reached at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


David Lieber is an Associate in DLA Piper's E-Commerce & Privacy group. Lieber counsels clients on complying with federal and state electronic privacy and security laws. He has counseled clients in the aftermath of security breaches, as well as advised clients on ways to enhance data security practices. Prior to joining DLA Piper, Lieber served as a Legislative Assistant on the Senate Judiciary Committee to Senator Dick Durbin (D-IL), where he handled privacy, data security and electronic commerce issues.

© DLA Piper US LLP 2007. All rights reserved.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»