MetaCompliance_Webcon
CS17_Banner_300x250-COPY
OneTrust_Square Banner_300x250_DD_ROS_01_19

Heidi C. Salow, Jim Halpert and David Lieber

Merchants striving to comply with the Payment Card Industry Data Security Standards (PCI DSS) now have additional reason to focus on the security of payment card data. In late May, Minnesota became the first state to hold merchants strictly liable for costs incurred by financial institutions who assist consumers following the discovery of a security breach.

This new Minnesota security breach law codifies one aspect of the PCI DSS by prohibiting entities conducting business in Minnesota from retaining credit or debit card security code data, PIN verification codes, or the full contents of any track of magnetic stripe data for more than 48 hours after the authorization of a transaction. The credit and debit card data retention provisions became effective on August 1, 2007. The retailer liability provisions become effective on August 1, 2008.

Similar Data Security Measures Are Being Championed in Other States

Similar measures are being championed by community banks and credit unions in a variety of other states. They complain that they incur significant costs when they have to close customer credit and debit card accounts in the wake of security breaches.

On June 5, the California Assembly passed by a 58-2 vote a more far-reaching codification of several PCI requirements. The measure passed despite broad industry opposition and is now pending in the California Senate. Similar legislation recently was introduced in New Jersey. A bill to codify all the PCI Rules died in the Texas Senate last month after passing the Assembly, but will likely be considered again in Texas next year. In Congress, House Financial Services Chairman Barney Frank, D-Mass., has expressed support for the idea of holding merchants liable for expenses financial institutions incur responding to security breaches.

Merchants Face Potential Strict Liability for Costs Associated With Security Breaches

Under the new Minnesota law, financial institutions that issue payment cards may sue merchants conducting business in Minnesota for reimbursement associated with undertaking reasonable actions in the wake of data security breaches involving their payment cards that result in the loss of computerized personal data. Such actions include, but are not limited to, the following:

  • Cancelling existing debit or credit cards and the replacement of such cards.
  • Closing any financial accounts affected by the breach, as well as actions undertaken to stop payments or block transactions with respect to the financial accounts.
  • Opening or reopening any financial accounts affected by the security breach.
  • Issuing refunds or credits to cardholders to cover the costs of unauthorized transactions related to the breach.
  • Notifying cardholders affected by the breach.

This financial reimbursement provision imposes a strict liability standard on merchants — i.e., merchants' liability is not limited to security breaches attributable to negligence or poor information security practices. Thus, a merchant who suffers a security breach can apparently be held strictly liable for the costs incurred by financial institutions, even when the merchant was in full compliance with the PCI DSS requirements or industry best practices for data security.

Law Codifies One of the PCI Data Security Standards
The PCI DSS were developed by the major payment card networks to create uniform data security standards for payment card data. The standards — which apply to the entire system of merchants, acquiring banks, and credit card associations that are members of the PCI Security Standards Council — regulate the storage, processing, or transmission of a credit or debit card number. Version 1.0 of the PCI DSS went into effect on June 30, 2005; a revised version (1.1) was released in September 2006 principally because of confusion regarding the requirements and deadlines in the original version.

The PCI DSS already impose rigorous requirements upon all businesses that accept credit or debit cards for payment. The standards set forth detailed technical mandates for compliance, which are divided into twelve broader requirements.

In general, merchants and service providers are required to build and maintain a secure network, protect cardholder data while storing it, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. Many businesses are still not in full compliance with the PCI DSS, although the original version was issued in December 2004.

One of the PCI standards prohibits the storage of sensitive authentication data, such as magnetic stripe data, credit card security code numbers, or debit card PIN authentication numbers. The Minnesota law essentially codifies this prohibition by requiring the destruction of such data within 48 hours after a transaction is authorized.
 
Penalties for Non-Compliance
As a general rule, the PCI DSS assumes that merchants are in the best position to safeguard credit card data because they have a direct relationship with the customer. Accordingly, compliance requirements, dates for compliance, and penalties are set by individual credit card issuers. Financial institutions play an active role in monitoring PCI DSS compliance and reporting non-compliant merchants. For example, a financial institution can report a non-compliant merchant to a list which is available to other financial institutions that issue credit or debit cards. A merchant on such a list will find it difficult to process credit card transactions.

Additional penalties can be imposed if there is a breach of credit card data. For example, if a merchant suffers a credit card data breach and the merchant was not in compliance with the PCI DSS at the time of the breach, an affected credit card company may impose a fine of as much as $500,000 per incident plus payment of costs associated with the breach. Other fines and restrictions may be imposed, as well.

What Can You Do As a Merchant or Service Provider?

  • Review the progress of your PCI compliance efforts and ensure that your information security program adequately addresses PCI compliance requirements, as well as the requirements of new statutes such as the Minnesota law. Consider engaging your in-house or external counsel to assist with the review of these efforts so as to preserve attorney-client privilege for documents created during the compliance review process.
  • Ensure that your PCI compliance team task force has adequate resources and buy-in throughout your organization.
  • Determine specifically whether you destroy magnetic stripe, credit card security code, and PIN authentication numbers, as required by Minnesota's new law.
  • Pay particular attention to the security of payment card data in your possession, to reduce the likelihood of a security breach involving such data and to mitigate those risks.
  • Review your contractual relationships with third parties with which you share, or to which you grant access to, your payment card data, so as to properly allocate the risks and liabilities associated with such a breach in light of this new legislation.

Heidi C. Salow is Of Counsel with DLA Piper US LLP. She handles cutting-edge issues involving privacy and data security, intellectual property, and e-commerce and has been involved in legislative advocacy, commercial transactions, regulatory compliance and litigation, and identifies successful legal solutions for high-tech businesses. She is an expert on a wide-range of federal and state privacy, data security and e-commerce laws. Prior to joining DLA Piper, Salow was Senior counsel and Director for Sprint Nextel Corporation, where she handled a wide range of privacy, data security, mobile content, and e-commerce matters. She can be reached at

heidi.salow@dlapiper.com

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

.

Jim Halpert is co-chair of the Communications, E-Commerce and Privacy practice of DLA Piper LLP, a global law firm. He practices in the firm's DC office. Halpert counsels software developers, e-commerce companies, service providers, financial services companies, IT and content companies on a broad range of legal issues relating to new technologies, including Internet gambling, privacy, spyware/adware, cyber-security, government surveillance standards, consumer protection, intellectual property protection, spam, Internet jurisdiction, online contract formation, content regulation and First Amendment law. He may be reached at

jim.halpert@dlapiper.com

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

.

David Lieber is an Associate in DLA Piper's E-Commerce & Privacy group. Lieber counsels clients on complying with federal and state electronic privacy and security laws. He has counseled clients in the aftermath of security breaches, as well as advised clients on ways to enhance data security practices. Prior to joining DLA Piper, Lieber served as a Legislative Assistant on the Senate Judiciary Committee to Senator Dick Durbin (D-IL), where he handled privacy, data security and electronic commerce issues.

© DLA Piper US LLP 2007. All rights reserved.

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»