Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In its summaries of the changes to each Data Security Standard, the Council makes clear that the majority of the changes arose from the need to clarify the intent of certain requirements, provide additional explanations or definitions, and ensure that the standards were up to date with emerging threats and changing markets.  

To access the new Data Security Standards, visit the PCI Document Library.

Here are some of the noteworthy updates:

• Companies must identify and rank vulnerabilities and develop testing procedures to address high-risk vulnerabilities (prior to June 30, 2012, ranking vulnerabilities is considered a best practice, after which it becomes a requirement) (PCI DSS, Section 6.2);
• Multiple virtual machines are permitted on the same physical hardware, so long as each virtual machine is performing only one task (PCI DSS, Section 2.2.1);
• Payment applications must facilitate centralized logging, in alignment with PCI DSS Section 10.5.3 (PA DSS, Section 4.4); and
• Similar to Section 6.2 of the PCI DSS, Section 7.1 of the PA DSS requires software vendors to identify vulnerabilities and rank them according to risk and test payment applications for new vulnerabilities.

While the new PCI DSS and PA DSS releases may not represent a significant shift in the Council’s position on payment card security, processors and software vendors alike should take steps to incorporate each standard’s updated requirements as we approach 2011.

H.B. 1149’s safe harbors and exemptions, however, help to minimize the scope and potential impact of the new law. For example, the new law exempts businesses that are certified as compliant with the Payment Card Industry Data Security Standards (“PCI DSS”) at the time of a breach. Most large merchants and card processors are well-acquainted with PCI DSS requirements and have already implemented safeguards aimed at PCI DSS compliance. So the new law should not require Herculean efforts or wholesale changes to covered entities’ cardholder information security programs. However, their liability exposure for losses arising from non-compliance is increased as a result of H.B. 1149.

Entities also are not liable if the payment card information was encrypted at the time of the breach.

The bill signed by Governor Gregoire does not include provisions from earlier versions of the bill that would have, among other things, prohibited covered entities from retaining cardholder data without the express consent of customers and held such entities liable in the event of a breach involving unencrypted cardholder data about more than 5,000 individuals. Likewise, a provision that would have allowed merchants to charge an extra two cents for each payment card transaction in order to cover the cost of insurance against potential liabilities under the law did not survive in the enacted version of the legislation.

With the enactment of H.B. 1149, Washington joins Minnesota as the only state to statutorily impose liability for breach-related costs on negligent merchants, payment card processors and vendors. It also distinguishes itself from the handful of other states in which attempts to enact such laws have failed; states like California, where Governor Schwarzenegger vetoed a similar measure in 2007. Additionally, with the adoption of H.B. 1149, Washington joins Nevada in its quest to incorporate parts of the PCI DSS into its state law. As we previously wrote, Nevada exempts certain entities that are PCI DSS compliant from some of the state’s encryption requirements.

Minnesota’s New Law

The Minnesota law, H.F. 1758, amends Minnesota’s data breach notification law and contains security and liability components. The security requirements take effect August 1, 2007 and apply to any “person or entity conducting business in Minnesota” that accepts credit cards, debit cards, stored value cards or similar cards “issued by a financial institution.” Such companies are prohibited from retaining the following card data after authorization of a transaction:

• “the full contents of a track of magnetic stripe data” (which encompasses the “card verification value” or CVV – a unique authentication code embedded on the magnetic stripe);
•  the three to four digit security code on the back of the card by the signature block (also known as CVV2); and
• any PIN verification code number. If a debit card with PIN is used, a company is prohibited from retaining the data more than 48 hours after authorization of the transaction. 

The liability provision of H.F. 1758 applies to data breaches occurring after August 1, 2008. It requires companies to reimburse card-issuing financial institution for the “costs of reasonable actions” to both protect its cardholders’ information and to continue to provide services to its cardholders after a breach. The reimbursement would cover costs related to providing cardholders with notification of the breach, cancellation and reissuance of cards, closing or reopening of accounts and stop payments, and cardholder refunds for unauthorized transactions charged to their accounts. A financial institution may also bring an action to recover for the costs of damages it pays to cardholders resulting from a breach.         

The Five Pending Bills

The April 27, 2007 blog entry posted here discussed in detail California’s A.B. 779 as introduced. Since that posting, A.B. 779 has been amended in various California Assembly Committees and now resides with the Appropriations Committee. The amended bill extended the scope of the bill beyond just retailers to all persons or businesses conducting business in California that own or license computerized data containing personal information. The 90-day record destruction requirement in the original bill has been deleted, but the amended bill now has a host of other restrictions on storing payment card data. Among its requirements, the bill requires:

• account numbers retained by businesses be “indecipherable” to unauthorized persons;
• that payment related data sent across a network be encrypted;
• that companies have role-based restrictions for employee access to such data; and
• the bill also adds a provision that is broader than Minnesota’s financial institution reimbursement provision, requiring vendors that maintain, but do not own or license breached personal information, to reimburse data owners and licensees for “reasonable and actual costs” of providing data breach notification.                   

In the Texas legislature, the House passed H.B. 3222, which would require companies that accept, process or maintain credit card, debit card and other financial institution-issued cards to follow the Payment Card Industry’s Data Security Standard (“PCI DSS”). The PCI DSS are extensive industry security standards designed to prevent identity theft that the major credit card issuers impose on merchants that store, process or transmit cardholder data. While H.B. 3222 excludes financial institutions from the security standards, it empowers them, subject to certain conditions, with a right of action for actual damages against other companies they believe have violated the provision.