On May 14, 2007, Jaikumar Vijayan, writing for Computerworld, reported on what may be a look at the future for retailers in the United States.
The article, “Texas mulls bill that would make PCI requirements a state law,” states:
The state’s House of Representatives last week voted 139-0 in favor of a bill that would formally codify PCI requirements into a state law that merchants would be obliged to comply with if passed. Under HB 3222 a breached entity will have to reimburse banks and credit unions the cost associated with blocking and reissuing cards if the merchant was not PCI compliant at the time of the compromise.
Personally, I view a unanimous vote proof that this legislative body is doing more than mulling a legal shift in liability to merchants of the State of Texas. Unless this legislation runs into unexpected opposition in the State Senate then law it will become.
More research will need to be conducted but one telling feature of this legislation would appear to be that, unlike the credit card associations’ data security standard, this law doesn’t permit any relaxation of liability standards for smaller vendors.
According to the language of the bill, “A business that, in the regular course of business, collects, maintains, or stores sensitive personal information in connection with an access device must comply with payment card industry data security standards.”
If you have your own merchant account and have not been contacted by your ISO in regard to PCI compliance certification now might be a good time to give your account representative a call. The card associations’ standards (and the expenses that go with them) increase with the number of transactions a merchant handles per card type in any given year. Look for Texas to be only the first State to go this route. The author notes that Massachusetts saw similar legislation introduced earlier this year. It is probably a sure bet that the associations are lobbying in many (if not all) States and, possibly, abroad as well, for similar legislation to be enacted.
2Checkout was proud to be among the first CNP retailers to meet the original PCI compliance deadline. Our vendors can consider their 2Checkout arrangement to be a PCI compliance alternative.
2 Comments »
+0
-0
These data breaches are inexcusable and are usually due to the fact that people are implementing horribly insecure websites and doing nutty things like storing card information in flat file ASCII text databases.
The bad thing about this law is the fact that it is only allowing banks to be reimbursed for their costs. Banks have enough money and honestly I don’t really care if they get reimbursed. Its the consumers whose identities are stolen that deserve compensation, and I don’t mean compensation in the form of a year of free credit monitoring. They should be able to sue the company that caused the breach for the full cost of it, including the damage to their credit reports.
The fact that 2CO is PCI compliant means none of us have to worry about this law and the possible legal effects it could have on us.
+0
-0
My first reaction to the Texas Legislation is that it is pro-bank and was able to pass because of the strong Bank Lobby in the state of Texas.
However, as I thought about this issue more, one question comes to mind:
Should banks have to incur the significant costs of reissuing millions of credit cards to customers because of a breach in data security by a merchant?