Nevada Mandates PCI DSS
June 22nd, 2009 by hmark Posted in Compliance, Encryption, Government, Legislation, PCI DSSAs we’ve been expecting for some time, states are beginning to take action with respect to mandating PCI DSS. The trend began with Minnesota’s Plastic Card Security Act, which prohibited the storage of sensitive authentication data. While not a wholesale adoption of the PCI DSS, it did codify existing Card Brand regulations and Requirement 3.2 of the standard. For the last two years, a number of states have been debating making PCI DSS a law. Texas’ controversial bill is still a concern for many. Nevada, however, becomes the first state to mandate compliance with PCI DSS. According to the law, which amends NRS 603A “Security of Personal Information”, any organization that does business in the state must “comply with the current version” of the PCI DSS as adopted by the PCI Security Standards Council “or its successor organization.” The law further states that companies must comply by the deadlines established by the PCI SSC. (It should be noted here that the PCI SSC does not set the compliance deadlines. These are set by the individual card brands.)
In addition to those companies involved in payment card transaction, the law takes aim at other organizations that may transmit personally identifiable information, by mandating that companies transmit this data in an encrypted format. As many of you may know, I’ve previously found Nevada’s definition of encryption, as detailed Nevada Statute (NRS 205.4742 Encryption Defined), to be interesting to say the least. In that law, Nevada defined encryption as “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”
The state’s new PCI DSS law refines this definition by saying that encryption means “the protection of data in electronic or optical form, in storage or in transit, using (1) an encryption technology that has been adopted by an established standards body…” Specifically, the statute lists FIPS and NIST. It further requires appropriate key management techniques and again references NIST standards.
We are likely to see again the phenomenon that followed California’s passing of SB 1386, which introduced the country to Data Breach Notification Laws. In the wake of that legislation, a domino effect occurred, in which 45 states followed suit. In the most recent issue of Secure Payments Magazine, I discussed the issue of what I termed “PCI laws.” (The article can be found at www.securepaymentsmag.com.) The question raised in the article was whether or not PCI DSS would eventually be overtaken by the state and federal laws passed to protect consumer privacy. While the Nevada law does not make any specific reference to enforcement, it will be interesting to see if other states follow suit in leaving enforcement to the card brands, or as in the case of some proposed legislation (inadvertently or not) change the enforcement and application of the standard through implication (for example, offering “safe harbor” to entities that have been validated as compliant via onsite assessment by a Qualified Security Assessor within the last 90 days).
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Sorry, comments for this entry are closed at this time.