The backlash started slow with a law in Minnesota and Texan (almost and maybe still) and continues with the presumed passage of California AB 779. This is legislation that would address data security breach notification, require card replacement, and mandate only storage of necessary data.

This may put the minds of consumers in California at ease, but cardholder data security has been in the works for many years now, and 2007 is the tipping point for merchant compliance. Statistics to be released shortly will show that in the USA, significantly more merchants are compliant than non compliant with the PCI DSS.

I’m glad to see consumers voting their concern, but these laws only push the compliance ball faster as it crests the mountain and begins to looks down on those merchants still have not validated they are securely storing consumer data.

Update: and the bill was vetoed on October 13, 2007 by governor Schwarzenegger. He said two things that would make the card brands happy:

• “attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information.”
• “This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace,” he said. “This measure creates the potential for California law to be in conflict with private sector data security standards.”

Popularity: 27% [?]

Ian from the Public Sector Forums in the UK reminded me of an upcoming event for public sector professionals in the UK to learn more about PCI DSS compliance.

We blogged about this before and the event was so successful they are having another one. If you see the speaker list you know it will be good. The top people from Visa, MasterCard, and American Express will be there to discuss PCI DSS compliance.

Popularity: 25% [?]

The week has been quiet as people work vigorously on their PCI compliance projects. Here’s some things that might help you along.

Tenable Network Security, the company that brought you Nessus, has “produced two Nessus PCI configuration .audit files for both the Windows and Linux operating systems. These configuration checks are derived from specific recommendations and audit requirements based on the PCI 1.1 standard.”

Check their blog for the audit files. These could help out with requirement 11.2 for internal vulnerability scanning. They even have a video online of how to install and use the files.

I don’t know anything about this but I came across a petition from Mark at port7. Apparently he has set up “a petition to the Prime Minister [in the UK] to make the PCI: DSS standards a legal requirement.”

What are your thoughts on making PCI DSS a law? We have talked about this before.

Popularity: 44% [?]

Well, the LogBlog beat us to it, in posting about California’s laws on data handling. I read through the bill they link to and it’s all about storage and disclosure. From the bill:

The bill would also prohibit a retail seller from retaining personal information for longer than 90 days after the date of an original transaction or as specified.

[The company] shall disclose any breach … or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

So the disclosure piece is only applicable if the data was unencrypted. Good to know.

Also, to think about is California bill 1747.09, which would go into effect on Jan. 1, 2009.  You can read it here:

(a) Except as provided in this section, no person, firm, partnership, association, corporation, or limited liability company that accepts credit or debit cards for the transaction of business shall print more than the last five digits of the credit or debit card account number or the expiration date upon any receipt provided to the cardholder.
(b) This section shall apply only to receipts that are electronically printed and shall not apply to transactions in which the sole means of recording the person’s credit or debit card number is by handwriting or by an imprint or copy of the credit or debit card.

What would this mean for the industry?  You have to remember that “charge backs” are the only real reason a company has for storing credit card data.  To perform a charge back you need (1) the authorization code and (2) the card number.

This law would mean a company cannot store the information necessary to perform charge backs, meaning the industry may have to change their practices for handling these transactions.

Popularity: 26% [?]

This week Minnesota trumped Texas in being the first state to make PCI compliance a law. Minnesota is home to people like Garrison Keillor and the many Swedes that live there. It is also a great Midwestern state, eh?

The state’s Plastic Card Security Act would set the following:

The law says that any company that suffers a data breach and is shown to have stored prohibited card data will have to reimburse banks for the cost of blocking the exposed cards and issuing new ones.

Companies that handle fewer than 20,000 payment card transactions yearly are exempted.

The act outlaws the post-transaction storage of data prohibited by the PCI DSS, but PIN data can be stored for 48 hours for debit card transactions.

A Harvard law blog points out that:

The state already has a data breach notification law, similar to those now spreading through state legislatures like wildfire.

The law does not mention PCI, but is strongly based on it. You will note that this law now enables the cardholder to see direct damages against a company that improperly discloses their credit card data.

How will this change PCI? It will not. The merchant still has an obligation to their acquirer to validate compliance. This new law is simply a new avenue for consumers and consumer advocacy groups to pursue direct damages from the merchant. It greases the skids for future lawsuits.

Popularity: 33% [?]

There is a lot of debate going on in the legal courthouses right now about FACTA and how it applies to identity theft. (Some precedent here.) So what is FACTA and how does it apply to PCI compliance?

Well, FACTA is not the Luigi Facta, the Italian politician and journalist. It is the Fair and Accurate Credit Transactions Act (FACTA). Most people know of FACTA in that it entitles them to a free copy of their credit report if they are ever denied credit for any reason. It also enables them to put a fraud warning on their credit account if they feel they are a victim of identity theft.

I want to stop here and remind everyone that credit card theft has NOTHING to do with identity theft. To say it is would be the equivalent of saying that by stealing cash from your wallet one could then re-create your monthly paycheck. Identity theft means stealing the basic building blocks that can be used to create more credit, debt, and identification sources. Examples would be stealing someones social security number, birth certificate, or other ID. Stealing an omelet does not enable me to make eggs!

But, there is another side of the FACTA law that addresses credit card security.

The FTC’s latest FACTA rule requires any business “that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose” to “properly dispose of such information or compilation.” Both FACTA and the new rule are supposed to cut down on the incidences of identity theft by, among other methods, restricting the ability of thieves to go “dumpster diving” for valuable consumer information contained in discarded business records.

According to the Privacy Rights Clearinghouse:

FACTA says credit and debit card receipts may not include more than the last five digits of the card number. Nor may the card’s expiration date be printed on the cardholder’s receipt.However, the effective date of this provision is a long way off, and there are a couple of loopholes:

• This section does not apply to receipts for which the sole means of recording a credit or debt card number is by handwriting or by an imprint or copy of the card.
• For machines in use before January 1, 2005, the merchant has three (3) years to comply.
• For machines in use after January 1, 2005, the merchant has one (1) year to comply.

So what do we do now? Well, the consumer sue the merchants, who in turn sue the POS vendors. When the reality of the matter is that monetary loss due to thrown out credit card numbers come no where near the numbers and actionable-volume seen in cases such as the TJX breach. How many dumpsters would you have to dive into to obtain (and then manually enter) the 40 million card numbers rumored to be compromised as part of the TJX breach? Why would any self respecting hacker dive into a dumpster when they can compromise a non-compliant merchant or service provider?

And, please oh please, do not label credit card theft as identity theft. It is nothing of the sort. *sigh*

Popularity: 29% [?]

I’m late to the news but catching up on events. Everyone including ComputerWorld, nCircle’s 360 blog, and James DeLuccia’s PCI blog have talked about it.

Here’s the link to the Texas state bill (HB3222 and full text) and the GardianEdge Breach Disclosure Law Locater.

Read their analysis. This bill is on the heals of national data privacy legislation to protect personally identifiable information (PII).

Update: I was told today that this law may die a slow death…

Popularity: 36% [?]

I was having a look around to see if I could find any more data on the forthcoming European disclosure rulings that I talked about recently, because it is becoming more apparent just what an effect they will have for PCI, along with SEPA in the next few years. Of course being able to pin it down would be nice, get the marketing guys doing some work for a change…

My first search turned up very little, but there is a SANS newsbite which links to a couple of interesting articles. I wish I’d read this last week as I met Hank Jan Spanjaard from Decru, quoted in the second article, last week at InfoSec, and could have asked him a bit more. I will get hold of him next week and try to get a better idea of exact dates, but even SANS are only saying “at the end of the year” so far.

(OK, so I lied about not doing posts for a few days… I was traveling all day yesterday, so my wife’s still in bed and the neighbours woke me up, as usual. Ah, Spain, my nemesis.)

Popularity: 30% [?]

I’ve just posted about Kenneth Belva’s latest article on my personal blog. I don’t want to repeat myself, but PCI in Europe is a case in point for the weight of reputational damage in driving security, but I think it also proves that it IS loss of reputation that drives people to comply, rather than financial liability.

PCI DSS in the US is driven hard by California’s data rulings, everyone complies with PCI DSS because they know they are protected from the big ugly monster of SB1386. In the UK and Europe, no such laws exist as yet, and PCI, with exactly the same rules, deadlines and effects, is still nowhere near as “complied with” as in the US.

The value of the data is usually weighed up against the cost of losing the data (I know Alex at Risk Analys.is will have something to say on this). If one is significantly out of line with other, we either get security, or more regulations have to be applied to back it up. We in Europe need another backup.

PCI is good, strong, it has the right ideas and motives, but it doesn’t cost enough to ignore. £500,000 isn’t enough for a big push, or even the big publicity to generate more talk around a big push. The loss of brand reputation absolutely is. Come November this year we should be seeing a shift towards PCI when a committee sits in Brussels to decide the future of the European Data Protection Directive. This time we are hoping for a disclosure clause, and PCI will become the facilitator that it has always promised to be.

Popularity: 21% [?]

Have we been at this for over a year? No, APACS just likes to release numbers statistics on fraud frequently. We talked about this late last year, but Ambersail reminds us again that the APACS, the UK payments association, says that online credit card fraud is up 16%. This is coupled with a reduction of retail fraud due to the Chip and PIN rollout.

You can read the APACS press release online. Strangely enough PCI is not mentioned. Ok, stay calm, maybe they forgot about PCI in the rush to publish the press release.

Nope. Sandra Quinn, director of communications at APACS, says:

We need Government intervention to remove the current barriers to this and we welcome improvements proposed in the Fraud Review and the Serious Crime Bill.

Now, I am not against this. I believe data privacy legislation is a good thing, but the whole idea behind PCI was to be a proactive, industry driven compliance program that removed the need for government intervention.

Popularity: 19% [?]