In a major development affecting privacy and data-security practices of direct marketers, Minnesota has become the first state in the country to enact into law one of the key components of the credit card industry’s data-security standards, the payment card industry standards.
Minnesota’s Plastic Card Security Act, MN HB 1758, was signed into law by Governor Tim Pawlenty on May 21 following passage by overwhelming majorities in the Minnesota House and Senate.
Under the terms of the act, any company conducting business in Minnesota that accepts payment via credit or debit card must ensure that it does not retain the card’s security-code data, the PIN-verification code number or the full contents of the information on the card’s magnetic stripe (the card’s track data) subsequent to the authorization of the transaction.
In addition, when a company that stores this data in violation of the above requirement suffers a data-security breach, that company must reimburse the financial institution that issued the cards for the costs associated with reissuing cards, closing accounts, notification regarding the breach and “any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach.”
The importance of maintaining absolute security with regard to track data cannot be overstated. As Visa warned in its August 2006 bulletin, “With little effort, a duplicate card can be created using track information that will appear indistinguishable from the original card during the authorization process.”
When it comes to track data, merchants may store only the specific data elements necessary to support card acceptance. Anything outside of the cardholder name, account number, expiration date and service code must be purged from all of a merchant’s systems immediately after authorization of a transaction is received.
Many merchants remain unaware of the risks associated with storing this data. Visa warns that “merchants that use commercially available POS systems should contact their POS vendors to validate whether the applications and versions in use are storing track data or other sensitive data, such as PINs.”
All entities involved in accepting or processing credit cards are under a contractual obligation to abide by the terms of the PCI Standards. The major card associations have been stepping up enforcement. More than $4 million in penalties were levied in 2006. The associations are also offering financial incentives to speed up compliance across the industry. However, the card industry itself has acknowledged that compliance with the PCI standards needs to be improved. Visa said in December that only 36 percent of the largest merchants reported being in compliance with the standards.
Minnesota’s Plastic Card Security Act, however, marks the first instance of the transformation of at least one of the PCI Standards into a statutory requirement. It reflects what could become a trend in statehouses across the country. Laws similar to the Plastic Card Security Act are under consideration in a number of states, including California and Texas.