June 27, 2007

New Liability

Under State Law Stresses Need for

Strong Data Security for Payment Card Data

Merchants who are striving to comply with the Payment Card Industry Data Security Standards (PCI DSS) now have additional reason to focus on the security of payment card data. In late May, Minnesota became the first state to hold merchants strictly liable for costs incurred by financial institutions who assist consumers following the discovery of a security breach.

This new Minnesota security breach law codifies one aspect of the PCI DSS by prohibiting entities conducting business in Minnesota from retaining credit or debit card security code data, PIN verification codes, or the full contents of any track of magnetic stripe data for more than 48 hours after the authorization of a transaction. The credit and debit card data retention provisions become effective on August 1, 2007. The retailer liability provisions become effective on August 1, 2008.

Similar Data Security Measures Are Being Championed in Other States

Similar measures are being championed by community banks and credit unions in a variety of other states. They complain that they incur significant costs when they have to close customer credit and debit card accounts in the wake of security breaches.

On June 5, the California Assembly passed by a 58-2 vote a more
far-reaching codification of several PCI requirements. The measure passed despite broad industry opposition and is now pending in the California Senate. Similar legislation was recently introduced in New Jersey. A bill to codify all the PCI Rules died in the Texas Senate last month after passing the Assembly, but will likely be considered again in Texas next year. In Congress, House Financial Services Chairman Barney Frank (D-MA) has expressed support for the idea of holding merchants liable for expenses financial institutions incur responding to security breaches.

Merchants Face Potential Strict Liability for Costs Associated with Security Breaches

Under the new Minnesota law, financial institutions1 that issue payment cards may sue merchants conducting business in Minnesota for reimbursement associated with undertaking reasonable actions in the wake of data security breaches involving their payment cards that result in the loss of computerized personal data.2 Such actions include, but are not limited to, the following:

  • cancelling existing debit or credit cards and the replacement of such cards.
  • closing any financial accounts affected by the breach, as well as actions undertaken to stop payments or block transactions with respect to the financial accounts.
  • opening or reopening any financial accounts affected by the security breach.
  • issuing refunds or credits to cardholders to cover the costs of unauthorized transactions related to the breach.
  • notifying cardholders affected by the breach.

This financial reimbursement provision imposes a strict liability standard on merchants – i.e., merchants’ liability is not limited to security breaches attributable to negligence or poor information security practices. Thus, a merchant who suffers a security breach can apparently be held strictly liable for the costs incurred by financial institutions, even when the merchant was in full compliance with the PCI DSS requirements or industry best practices for data security.

Law Codifies One of the PCI Data Security Standards

The PCI DSS were developed by the major payment card networks to create uniform data security standards for payment card data. The standards – which apply to the entire system of merchants, acquiring banks, and credit card associations that are members of the PCI Security Standards Council – regulate the storage, processing, or transmission of a credit or debit card number.3 Version 1.0 of the PCI DSS went into effect on June 30, 2005; a revised version (1.1) was released in September 2006 principally because of confusion regarding the requirements and deadlines in the original version.

The PCI DSS already impose rigorous requirements upon all businesses that accept credit or debit cards for payment. The standards set forth detailed technical mandates for compliance, which are divided into twelve broader requirements.

In general, merchants and service providers are required to build and maintain a secure network, protect cardholder data while storing it, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. Many businesses are still not in full compliance with the PCI DSS, although the original version was issued in December 2004.

One of the PCI standards prohibits the storage of sensitive authentication data, such as magnetic stripe data, credit card security code numbers, or debit card PIN authentication numbers. The Minnesota law essentially codifies this prohibition by requiring the destruction of such data within 48 hours after a transaction is authorized.

Penalties for Non-Compliance

As a general rule, the PCI DSS assumes that merchants are in the best position to safeguard credit card data because they have a direct relationship with the customer. Accordingly, compliance requirements, dates for compliance, and penalties are set by individual credit card issuers. Financial institutions play an active role in monitoring PCI DSS compliance and reporting non-compliant merchants. For example, a financial institution can report a non-compliant merchant to a list which is available to other financial institutions that issue credit or debit cards. A merchant on such list will find it difficult to process credit card transactions.

Additional penalties can be imposed if there is a breach of credit card data. For example, if a merchant suffers a credit card data breach and the merchant was not in compliance with the PCI DSS at the time of the breach, an affected credit card company may impose a fine of as much as $500,000 per incident plus payment of costs associated with the breach. Other fines and restrictions may be imposed, as well.

What Can You Do As a Merchant or Service Provider?

  • Review the progress of your PCI compliance efforts and ensure that your information security program adequately addresses PCI compliance requirements, as well as the requirements of new statutes such as the Minnesota law. Consider engaging your in-house or external counsel to assist with the review of these efforts so as to preserve attorney-client privilege for documents created during the compliance review process.
  • Ensure that your PCI compliance team task force has adequate resources and buy-in throughout your organization.
  • Determine specifically whether you destroy magnetic stripe, credit card security code, and PIN authentication numbers, as required by Minnesota’s new law.
  • Pay particular attention to the security of payment card data in your possession, to reduce the likelihood of a security breach involving such data and to mitigate those risks.
  • Review your contractual relationships with third parties with which you share, or to which you grant access to, your payment card data, so as to properly allocate the risks and liabilities associated with such a breach in light of this new legislation.

1 “Financial institution” means any office of a bank, bank and trust, trust company with banking powers, savings bank, industrial loan company, savings association, credit union, or regulated lender.

2 “Personal information” means first and last name or first initial and last name, combined with one or more of the following unencrypted – or encrypted but compromised – data elements:
(a) Social Security number;
(b) driver's license number or Minnesota identification card number; or
(c) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a financial account.

3 Certain PCI DSS Requirements may apply to hosting providers with access to cardholder data.