Society of Payment Security Professionals - Payment Security Blog

California data handling laws

Well, the LogBlog beat us to it, in posting about California’s laws on data handling. I read through the bill they link to and it’s all about storage and disclosure. From the bill:

The bill would also prohibit a retail seller from retaining personal information for longer than 90 days after the date of an original transaction or as specified.

[The company] shall disclose any breach … or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

So the disclosure piece is only applicable if the data was unencrypted. Good to know.

Also, to think about is California bill 1747.09, which would go into effect on Jan. 1, 2009.  You can read it here:

(a) Except as provided in this section, no person, firm, partnership, association, corporation, or limited liability company that accepts credit or debit cards for the transaction of business shall print more than the last five digits of the credit or debit card account number or the expiration date upon any receipt provided to the cardholder.
(b) This section shall apply only to receipts that are electronically printed and shall not apply to transactions in which the sole means of recording the person’s credit or debit card number is by handwriting or by an imprint or copy of the credit or debit card.

What would this mean for the industry?  You have to remember that “charge backs” are the only real reason a company has for storing credit card data.  To perform a charge back you need (1) the authorization code and (2) the card number.

This law would mean a company cannot store the information necessary to perform charge backs, meaning the industry may have to change their practices for handling these transactions.