Privacy Advisor

New Liability Under State Law Stresses Need for Strong Data Security for Payment Card Data

September 1, 2007

Heidi C. Salow, Jim Halpert and David Lieber

Merchants striving to comply with the Payment Card Industry Data Security Standards (PCI DSS) now have additional reason to focus on the security of payment card data. In late May, Minnesota became the first state to hold merchants strictly liable for costs incurred by financial institutions who assist consumers following the discovery of a security breach.

This new Minnesota security breach law codifies one aspect of the PCI DSS by prohibiting entities conducting business in Minnesota from retaining credit or debit card security code data, PIN verification codes, or the full contents of any track of magnetic stripe data for more than 48 hours after the authorization of a transaction. The credit and debit card data retention provisions became effective on August 1, 2007. The retailer liability provisions become effective on August 1, 2008.

Similar Data Security Measures Are Being Championed in Other States

Similar measures are being championed by community banks and credit unions in a variety of other states. They complain that they incur significant costs when they have to close customer credit and debit card accounts in the wake of security breaches.

On June 5, the California Assembly passed by a 58-2 vote a more far-reaching codification of several PCI requirements. The measure passed despite broad industry opposition and is now pending in the California Senate. Similar legislation recently was introduced in New Jersey. A bill to codify all the PCI Rules died in the Texas Senate last month after passing the Assembly, but will likely be considered again in Texas next year. In Congress, House Financial Services Chairman Barney Frank, D-Mass., has expressed support for the idea of holding merchants liable for expenses financial institutions incur responding to security breaches.

Merchants Face Potential Strict Liability for Costs Associated With Security Breaches

Under the new Minnesota law, financial institutions that issue payment cards may sue merchants conducting business in Minnesota for reimbursement associated with undertaking reasonable actions in the wake of data security breaches involving their payment cards that result in the loss of computerized personal data. Such actions include, but are not limited to, the following:

  • Cancelling existing debit or credit cards and the replacement of such cards.
  • Closing any financial accounts affected by the breach, as well as actions undertaken to stop payments or block transactions with respect to the financial accounts.
  • Opening or reopening any financial accounts affected by the security breach.
  • Issuing refunds or credits to cardholders to cover the costs of unauthorized transactions related to the breach.
  • Notifying cardholders affected by the breach.

This financial reimbursement provision imposes a strict liability standard on merchants — i.e., merchants' liability is not limited to security breaches attributable to negligence or poor information security practices. Thus, a merchant who suffers a security breach can apparently be held strictly liable for the costs incurred by financial institutions, even when the merchant was in full compliance with the PCI DSS requirements or industry best practices for data security.

Law Codifies One of the PCI Data Security Standards
The PCI DSS were developed by the major payment card networks to create uniform data security standards for payment card data. The standards — which apply to the entire system of merchants, acquiring banks, and credit card associations that are members of the PCI Security Standards Council — regulate the storage, processing, or transmission of a credit or debit card number. Version 1.0 of the PCI DSS went into effect on June 30, 2005; a revised version (1.1) was released in September 2006 principally because of confusion regarding the requirements and deadlines in the original version.

The PCI DSS already impose rigorous requirements upon all businesses that accept credit or debit cards for payment. The standards set forth detailed technical mandates for compliance, which are divided into twelve broader requirements.

In general, merchants and service providers are required to build and maintain a secure network, protect cardholder data while storing it, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. Many businesses are still not in full compliance with the PCI DSS, although the original version was issued in December 2004.

One of the PCI standards prohibits the storage of sensitive authentication data, such as magnetic stripe data, credit card security code numbers, or debit card PIN authentication numbers. The Minnesota law essentially codifies this prohibition by requiring the destruction of such data within 48 hours after a transaction is authorized.
 
Penalties for Non-Compliance
As a general rule, the PCI DSS assumes that merchants are in the best position to safeguard credit card data because they have a direct relationship with the customer. Accordingly, compliance requirements, dates for compliance, and penalties are set by individual credit card issuers. Financial institutions play an active role in monitoring PCI DSS compliance and reporting non-compliant merchants. For example, a financial institution can report a non-compliant merchant to a list which is available to other financial institutions that issue credit or debit cards. A merchant on such a list will find it difficult to process credit card transactions.

Additional penalties can be imposed if there is a breach of credit card data. For example, if a merchant suffers a credit card data breach and the merchant was not in compliance with the PCI DSS at the time of the breach, an affected credit card company may impose a fine of as much as $500,000 per incident plus payment of costs associated with the breach. Other fines and restrictions may be imposed, as well.

What Can You Do As a Merchant or Service Provider?

  • Review the progress of your PCI compliance efforts and ensure that your information security program adequately addresses PCI compliance requirements, as well as the requirements of new statutes such as the Minnesota law. Consider engaging your in-house or external counsel to assist with the review of these efforts so as to preserve attorney-client privilege for documents created during the compliance review process.
  • Ensure that your PCI compliance team task force has adequate resources and buy-in throughout your organization.
  • Determine specifically whether you destroy magnetic stripe, credit card security code, and PIN authentication numbers, as required by Minnesota's new law.
  • Pay particular attention to the security of payment card data in your possession, to reduce the likelihood of a security breach involving such data and to mitigate those risks.
  • Review your contractual relationships with third parties with which you share, or to which you grant access to, your payment card data, so as to properly allocate the risks and liabilities associated with such a breach in light of this new legislation.

Heidi C. Salow is Of Counsel with DLA Piper US LLP. She handles cutting-edge issues involving privacy and data security, intellectual property, and e-commerce and has been involved in legislative advocacy, commercial transactions, regulatory compliance and litigation, and identifies successful legal solutions for high-tech businesses. She is an expert on a wide-range of federal and state privacy, data security and e-commerce laws. Prior to joining DLA Piper, Salow was Senior counsel and Director for Sprint Nextel Corporation, where she handled a wide range of privacy, data security, mobile content, and e-commerce matters. She can be reached at heidi.salow@dlapiper.com This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .

Jim Halpert is co-chair of the Communications, E-Commerce and Privacy practice of DLA Piper LLP, a global law firm. He practices in the firm's DC office. Halpert counsels software developers, e-commerce companies, service providers, financial services companies, IT and content companies on a broad range of legal issues relating to new technologies, including Internet gambling, privacy, spyware/adware, cyber-security, government surveillance standards, consumer protection, intellectual property protection, spam, Internet jurisdiction, online contract formation, content regulation and First Amendment law. He may be reached at jim.halpert@dlapiper.com This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .

David Lieber is an Associate in DLA Piper's E-Commerce & Privacy group. Lieber counsels clients on complying with federal and state electronic privacy and security laws. He has counseled clients in the aftermath of security breaches, as well as advised clients on ways to enhance data security practices. Prior to joining DLA Piper, Lieber served as a Legislative Assistant on the Senate Judiciary Committee to Senator Dick Durbin (D-IL), where he handled privacy, data security and electronic commerce issues.


© DLA Piper US LLP 2007. All rights reserved.