and James Graves
Anyone who deals with credit card data is probably familiar with
the Payment Card Industry Data Security Standard. PCI DSS requires
anyone who stores, processes, or handles payment cards to meet
certain technical and process requirements. Larger merchants and
service providers must pass regular external security assessments,
and everyone subject to PCI DSS must undergo frequent scans for
technical vulnerabilities. Failure to comply with PCI DSS can lead
to significant fines in the event of a data breach.
In 2007, Minnesota became the first state to pass a law based on
PCI DSS. The Minnesota law prohibits anyone conducting business in
Minnesota from storing sensitive information from credit and debit
cards. The law makes non-compliant entities liable for financial
institutions' costs of canceling and replacing credit cards
compromised in a security breach.
Last year, when Nevada
updated its encryption law, it included a requirement that
anyone who does business in that state and accepts payment cards
must comply with PCI DSS.
On March 22, 2010, Washington became the third state to enact a law connected to PCI DSS. Washington's
law is similar to Minnesota's in that it allows financial
institutions to recover the costs of reissuing payment cards after
a data breach. If a business fails to take reasonable care to
protect against unauthorized access, and that failure is found to
be the cause of a breach, then the business is liable for the cost
to financial institutions of reissuing the compromised cards of
Washington residents. However, a business is not liable under the
new law if that business was certified as PCI DSS compliant within
one year prior to the breach.
As with most laws of this type, Washington's law applies to
organizations outside its own borders. For example, a
"business" is any legal or commercial entity that
"provides, offers, or sells goods or services" to
Washington residents and handles six million or more payment card
transactions per year. The law also applies to "vendors"
and "processors," the definitions of which do not include
any geographic restrictions and might be expected to include anyone
who would be within the reach of Washington law.
Anyone who stores, processes, or handles credit cards has already
been subject to PCI DSS requirements. Washington's new law does
not appear to add any new requirements, but it does create the risk
of additional costs for non-compliance. Merchants with customers in
Washington who handle large numbers of credit cards now have an
extra incentive to maintain PCI DSS compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.