Heidi C. Salow, Jim Halpert and David Lieber

Merchants striving to comply with the Payment Card Industry Data Security Standards (PCI DSS) now have additional reason to focus on the security of payment card data. In late May, Minnesota became the first state to hold merchants strictly liable for costs incurred by financial institutions who assist consumers following the discovery of a security breach.

This new Minnesota security breach law codifies one aspect of the PCI DSS by prohibiting entities conducting business in Minnesota from retaining credit or debit card security code data, PIN verification codes, or the full contents of any track of magnetic stripe data for more than 48 hours after the authorization of a transaction. The credit and debit card data retention provisions became effective on August 1, 2007. The retailer liability provisions become effective on August 1, 2008.

Similar Data Security Measures Are Being Championed in Other States

Similar measures are being championed by community banks and credit unions in a variety of other states. They complain that they incur significant costs when they have to close customer credit and debit card accounts in the wake of security breaches.

On June 5, the California Assembly passed by a 58-2 vote a more far-reaching codification of several PCI requirements. The measure passed despite broad industry opposition and is now pending in the California Senate. Similar legislation recently was introduced in New Jersey. A bill to codify all the PCI Rules died in the Texas Senate last month after passing the Assembly, but will likely be considered again in Texas next year. In Congress, House Financial Services Chairman Barney Frank, D-Mass., has expressed support for the idea of holding merchants liable for expenses financial institutions incur responding to security breaches.

Merchants Face Potential Strict Liability for Costs Associated With Security Breaches

Under the new Minnesota law, financial institutions that issue payment cards may sue merchants conducting business in Minnesota for reimbursement associated with undertaking reasonable actions in the wake of data security breaches involving their payment cards that result in the loss of computerized personal data. Such actions include, but are not limited to, the following:

  • Cancelling existing debit or credit cards and the replacement of such cards.
  • Closing any financial accounts affected by the breach, as well as actions undertaken to stop payments or block transactions with respect to the financial accounts.
  • Opening or reopening any financial accounts affected by the security breach.
  • Issuing refunds or credits to cardholders to cover the costs of unauthorized transactions related to the breach.
  • Notifying cardholders affected by the breach.

This financial reimbursement provision imposes a strict liability standard on merchants — i.e., merchants' liability is not limited to security breaches attributable to negligence or poor information security practices. Thus, a merchant who suffers a security breach can apparently be held strictly liable for the costs incurred by financial institutions, even when the merchant was in full compliance with the PCI DSS requirements or industry best practices for data security.

Law Codifies One of the PCI Data Security Standards
The PCI DSS were developed by the major payment card networks to create uniform data security standards for payment card data. The standards — which apply to the entire system of merchants, acquiring banks, and credit card associations that are members of the PCI Security Standards Council — regulate the storage, processing, or transmission of a credit or debit card number. Version 1.0 of the PCI DSS went into effect on June 30, 2005; a revised version (1.1) was released in September 2006 principally because of confusion regarding the requirements and deadlines in the original version.

The PCI DSS already impose rigorous requirements upon all businesses that accept credit or debit cards for payment. The standards set forth detailed technical mandates for compliance, which are divided into twelve broader requirements.

In general, merchants and service providers are required to build and maintain a secure network, protect cardholder data while storing it, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. Many businesses are still not in full compliance with the PCI DSS, although the original version was issued in December 2004.

One of the PCI standards prohibits the storage of sensitive authentication data, such as magnetic stripe data, credit card security code numbers, or debit card PIN authentication numbers. The Minnesota law essentially codifies this prohibition by requiring the destruction of such data within 48 hours after a transaction is authorized.
Penalties for Non-Compliance
As a general rule, the PCI DSS assumes that merchants are in the best position to safeguard credit card data because they have a direct relationship with the customer. Accordingly, compliance requirements, dates for compliance, and penalties are set by individual credit card issuers. Financial institutions play an active role in monitoring PCI DSS compliance and reporting non-compliant merchants. For example, a financial institution can report a non-compliant merchant to a list which is available to other financial institutions that issue credit or debit cards. A merchant on such a list will find it difficult to process credit card transactions.

Additional penalties can be imposed if there is a breach of credit card data. For example, if a merchant suffers a credit card data breach and the merchant was not in compliance with the PCI DSS at the time of the breach, an affected credit card company may impose a fine of as much as $500,000 per incident plus payment of costs associated with the breach. Other fines and restrictions may be imposed, as well.

What Can You Do As a Merchant or Service Provider?

  • Review the progress of your PCI compliance efforts and ensure that your information security program adequately addresses PCI compliance requirements, as well as the requirements of new statutes such as the Minnesota law. Consider engaging your in-house or external counsel to assist with the review of these efforts so as to preserve attorney-client privilege for documents created during the compliance review process.
  • Ensure that your PCI compliance team task force has adequate resources and buy-in throughout your organization.
  • Determine specifically whether you destroy magnetic stripe, credit card security code, and PIN authentication numbers, as required by Minnesota's new law.
  • Pay particular attention to the security of payment card data in your possession, to reduce the likelihood of a security breach involving such data and to mitigate those risks.
  • Review your contractual relationships with third parties with which you share, or to which you grant access to, your payment card data, so as to properly allocate the risks and liabilities associated with such a breach in light of this new legislation.

Heidi C. Salow is Of Counsel with DLA Piper US LLP. She handles cutting-edge issues involving privacy and data security, intellectual property, and e-commerce and has been involved in legislative advocacy, commercial transactions, regulatory compliance and litigation, and identifies successful legal solutions for high-tech businesses. She is an expert on a wide-range of federal and state privacy, data security and e-commerce laws. Prior to joining DLA Piper, Salow was Senior counsel and Director for Sprint Nextel Corporation, where she handled a wide range of privacy, data security, mobile content, and e-commerce matters. She can be reached at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


Jim Halpert is co-chair of the Communications, E-Commerce and Privacy practice of DLA Piper LLP, a global law firm. He practices in the firm's DC office. Halpert counsels software developers, e-commerce companies, service providers, financial services companies, IT and content companies on a broad range of legal issues relating to new technologies, including Internet gambling, privacy, spyware/adware, cyber-security, government surveillance standards, consumer protection, intellectual property protection, spam, Internet jurisdiction, online contract formation, content regulation and First Amendment law. He may be reached at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


David Lieber is an Associate in DLA Piper's E-Commerce & Privacy group. Lieber counsels clients on complying with federal and state electronic privacy and security laws. He has counseled clients in the aftermath of security breaches, as well as advised clients on ways to enhance data security practices. Prior to joining DLA Piper, Lieber served as a Legislative Assistant on the Senate Judiciary Committee to Senator Dick Durbin (D-IL), where he handled privacy, data security and electronic commerce issues.

© DLA Piper US LLP 2007. All rights reserved.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

IAPP-OneTrust PIA Platform

Simplify privacy impact assessments with this cloud-based customizable platform - free to IAPP members!

72% say privacy is now a board-level concern

Find out more about privacy governance in the IAPP-EY Annual Privacy Governance Report 2016.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Time to Get to Work at the Congress

It's almost here! Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register now!

Plan for the Summit

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Registration opens December 19!

Intensive Education at the Practical Privacy Series

This year's Series spotlights Data Breach, FTC and Consumer Privacy, GDPR and Government privacy issues. It’s the education you need NOW. Early bird ends Nov. 4!

Speak at the Symposium

The call for speakers is open! The Symposium returns to Toronto this Spring and programming is now underway. Looking to share your privacy prowess? Submit by November 20!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»