On August 7, 2014 the PCI Security Standards Council issued new guidance to supplement PCI DSS Requirement 3.0 and help organizations reduce the risks associated with entrusting third-party service providers (“TPSPs”) with consumer payment information.  More and more merchants use TPSPs to store, process and transmit cardholder data or manage components of the entity’s cardholder data environment.  A number of studies have shown that breach is tied increasingly to security vulnerabilities introduced by third parties.  To combat such risk, a PCI special interest group made up of merchants, banks and TPSPs, together representing more than 160 organizations, created practical guidelines for how merchants and their business partners can work together to comply with the existing PCI standard and protect against breach.

On June 29, 2012, New Jersey Governor Chris Christie signed into law legislation amending New Jersey’s unclaimed property law relating to the escheat of abandoned stored value cards (SVCs) to the state. Under the original unclaimed property law, which took effect July 1, 2010, SVCs that were inactive for two years were presumed abandoned, and New Jersey required that the monetary value associated with the inactive cards be escheated to the state. Additionally, SVC issuers were required to (a) “obtain” the name and address of each card owner or purchaser, and (b) “at a minimum, maintain a record of the zip code of the owner or purchaser” of each SVC. Under the amended law, SVCs are presumed abandoned after five years of inactivity (as opposed to two years), and SVC issuers have a forty-eight month grace period before they are required to collect the names, addresses, and zip codes of SVC owners or purchasers. Issuers that do not collect purchasers’ names and addresses in the normal course of business or during a card-registration process are exempted from collecting purchasers’ names and addresses under the law, but they are still required to collect and maintain purchasers’ zip codes.
It should be noted that the unclaimed property law potentially conflicts with a separate New Jersey law protecting the personal information of credit card holders (N.J. Stat. § 56:11-17 (2012)). That law makes it unlawful for any person to require the disclosure of any personal identification information from a credit card holder that is not required to complete the transaction as a condition of allowing the card holder to use the credit card to complete the transaction. While we await the resolution of this potential conflict, courts may rule that no conflict exists: § 56:11-17 only addresses credit card use, but the state’s unclaimed property law makes no distinction between payment methods (and, therefore, doesn’t condition the use of a credit card on the collection of personal information).

On August 10, 2010, the U.S. Court of Appeals for the Seventh Circuit upheld an earlier ruling by the Northern District of Illinois Eastern Division that email order confirmations are not “electronically printed” receipts under the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act. Shlahtichman v.1-800 Contacts Inc., Case No. 09-4073 (7th Cir.; Aug. 10, 2010). The court affirmed the dismissal of Shlahtichman’s complaint against 1-800 Contacts Inc. that involved an electronic order confirmation containing Shlahtichman’s credit card expiration date.

On March 25, 2010, the Federal Trade Commission (“FTC”) announced that it had entered into a settlement with entertainment operator, Dave & Buster’s, Inc., for alleged violations of Section 5(a) of the FTC Act, and for “engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its networks.”
The settlement marks the 27th case brought by the FTC against a company for insufficient data security practices.