In response to increased data breaches like the Heartland Payment System incident, some states have passed laws requiring businesses to comply with the Payment Card Industry Data Security Standard (PCI DSS), while others have passed laws with enhanced privacy and encryption requirements for organizations that handle consumers' credit and debit card numbers. But can state laws be changed quickly enough to keep pace with the creative approaches of individuals who commit fraud?
According to Javelin Strategy & Research's 2010 Data Breach Prevention and Response study, approximately 26 percent of U.S. consumers received data breach notifications in 2009. The study also found that one in four consumers had their credit or debit card replaced in 2009 due to security concerns. Additionally, data collected by the Identity Theft Resource Center shows that though the number of breaches may rise and fall, overall, the number data breaches has doubled since 2007.
Source: http://idtheftcenter.org
*Adjusted Heartland number from 30 million to 130 million as per alleged breaches in Justice Department documentation.
Enhanced state encryption and payment card laws
States such as Massachusetts, Arizona, and Nevada have enacted encryption laws, while other states such as Washington and Minnesota have enacted payment card laws. However, to date, only Nevada and Washington have enacted a combination of both encryption and payment card laws.
Massachusetts was the first state to adopt enhanced encryption standards for organizations that own, license, store or maintain personal financial data about its residents. Massachusetts' new encryption law is said to add teeth to a key requirement that many security breach notification laws lack by specifically delineating the security requirements that organizations must adopt to ensure their security measures are "reasonable" and "adequate." Some of those specifications include securing user authentication protocols, encrypting all personal information that travels across public networks and wirelessly, monitoring systems for unauthorized use or access, and updating security systems.
States that have adopted both enhanced encryption and payment card laws go a step further, requiring not only compliance with PCI DSS but also that the organization have an annual security assessment validating its compliance. The assessment must be performed annually to ensure compliance with PCI DSS.
What about out-of-state business?
Businesses that transact with consumers from one of the states that have enacted these laws may be required to comply with the new state laws. For instance, the Nevada encryption law applies to businesses in the state of Nevada but may extend its reach to businesses outside the state if they have a strong enough presence in Nevada.
Laws assign liability to payments participants
Some state laws address liability among payments participants to ensure that the participant in the best position to prevent loss carries its share, if not all, of the costs associated with the loss and subsequent loss prevention efforts. Determining which participant is responsible has undergone changes in the states that have adopted enhanced payment card laws. The states of Washington, Nevada and Minnesota, for example, make merchants who are not compliant with PCI DSS liable to financial institutions for associated costs in instances of security breaches. Washington state holds a business or processor liable to a financial institution for costs related to a data breach even if the financial institution has suffered no loss. Under Washington state's new payment card law, a vendor may also be held liable to a financial institution for damages that occurred as a direct result of the vendor's negligence.
Conclusion
Since the loss of data can be an indicator that fraud is being perpetrated, these latest state laws look to ensure that businesses who hold such data do so in a manner that appropriately safeguards consumers' privacy. Data breach and loss containment are ongoing challenges for organizations that handle consumers' nonpublic personal information, including credit and debit card numbers. The new encryption and payment card laws may require organizations handling consumer payments information to fundamentally reexamine their corporate security compliance obligations and evaluate the technical resources required to comply with specific state standards.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed