I’ve been thinking about the question if PCI legislation, such as the Minnesota law, helps reduce data compromises. Michael Santarcangelo and Patrick Romero wrote an article on this legislation, but this only explores the potential impact.  I highly recommend reading Dr. Heather Mark’s in depth analysis in Transaction World.

Popularity: 29% [?]

Security Catalyst has a nice article that discusses the Minnesota PCI legislation with a perspective on the courts, businesses, and potential impacts.

This is all happening outside the realm of the industry PCI compliance requirements and will act as, yet another, attack vector for consumers and lawyers to penalize the affected company.

Popularity: 26% [?]

The backlash started slow with a law in Minnesota and Texan (almost and maybe still) and continues with the presumed passage of California AB 779. This is legislation that would address data security breach notification, require card replacement, and mandate only storage of necessary data.

This may put the minds of consumers in California at ease, but cardholder data security has been in the works for many years now, and 2007 is the tipping point for merchant compliance. Statistics to be released shortly will show that in the USA, significantly more merchants are compliant than non compliant with the PCI DSS.

I’m glad to see consumers voting their concern, but these laws only push the compliance ball faster as it crests the mountain and begins to looks down on those merchants still have not validated they are securely storing consumer data.

Update: and the bill was vetoed on October 13, 2007 by governor Schwarzenegger. He said two things that would make the card brands happy:

• “attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information.”
• “This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace,” he said. “This measure creates the potential for California law to be in conflict with private sector data security standards.”

Popularity: 27% [?]

I like to hear comments like those from Mike Rothman about PCI:

So what’s the bottom line? Basically, there is nothing required in the PCI DSS that is overly onerous. Any organization that has been taking security seriously for the past few years should be in pretty good shape. A well-run security program will put a corporation in a strong position to be compliant with most regulations, including PCI DSS.

Thus, I don’t think the PCI DSS requirements should be loosened. Maybe the timeframes could be extended a bit, but just because it’s hard, doesn’t mean it shouldn’t be done.

Here’s a good note about Kiosk security with relation to PCI.

If you live or work in California, don’t forget bill AB 779:

Earlier this month, California bill AB 779 was passed near-unanimously in both the State Senate and State Assembly, and it now sits on the Governator’s desk, awaiting the prodigious force of his personal stamp of approval.

At the center of the bill is a requirement that would force retailers like TJX Companies to reimburse banks and credit unions for any expenses those firms are forced to endure as a result of a data breach — namely for re-issuing credit and debit cards to those customers whose accounts have been exposed. Sounds fair enough, and other states are again expected to follow suit.

There is also an article about an application for mobile phones that enables proximity payments.  I’m happy to see companies all around the world adopting the payment application security practices.

Popularity: 28% [?]

The week has been quiet as people work vigorously on their PCI compliance projects. Here’s some things that might help you along.

Tenable Network Security, the company that brought you Nessus, has “produced two Nessus PCI configuration .audit files for both the Windows and Linux operating systems. These configuration checks are derived from specific recommendations and audit requirements based on the PCI 1.1 standard.”

Check their blog for the audit files. These could help out with requirement 11.2 for internal vulnerability scanning. They even have a video online of how to install and use the files.

I don’t know anything about this but I came across a petition from Mark at port7. Apparently he has set up “a petition to the Prime Minister [in the UK] to make the PCI: DSS standards a legal requirement.”

What are your thoughts on making PCI DSS a law? We have talked about this before.

Popularity: 44% [?]

I was at the ERI eXchange conference in Boston and met some interesting people, one of them was Benita Kahn, partner at Vorys, Sater, Seymour and Pease LLP.  Benita is legal counsel for a major bank and has (probably) been involved in more legal cases than anyone else.  She was a wealth of information as we compared different acquirers, merchants, and their approach towards the laws of today (and tomorrow.)

One thing we discussed were horizon topics such as the Visa ADCR program (discussed earlier) and the state laws such as Minnesota and new ones in California.

It is an interesting industry that is changing to improve itself all the time.  I enjoyed Boston and the people there.

Popularity: 21% [?]

Well, the LogBlog beat us to it, in posting about California’s laws on data handling. I read through the bill they link to and it’s all about storage and disclosure. From the bill:

The bill would also prohibit a retail seller from retaining personal information for longer than 90 days after the date of an original transaction or as specified.

[The company] shall disclose any breach … or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

So the disclosure piece is only applicable if the data was unencrypted. Good to know.

Also, to think about is California bill 1747.09, which would go into effect on Jan. 1, 2009.  You can read it here:

(a) Except as provided in this section, no person, firm, partnership, association, corporation, or limited liability company that accepts credit or debit cards for the transaction of business shall print more than the last five digits of the credit or debit card account number or the expiration date upon any receipt provided to the cardholder.
(b) This section shall apply only to receipts that are electronically printed and shall not apply to transactions in which the sole means of recording the person’s credit or debit card number is by handwriting or by an imprint or copy of the credit or debit card.

What would this mean for the industry?  You have to remember that “charge backs” are the only real reason a company has for storing credit card data.  To perform a charge back you need (1) the authorization code and (2) the card number.

This law would mean a company cannot store the information necessary to perform charge backs, meaning the industry may have to change their practices for handling these transactions.

Popularity: 26% [?]

This week Minnesota trumped Texas in being the first state to make PCI compliance a law. Minnesota is home to people like Garrison Keillor and the many Swedes that live there. It is also a great Midwestern state, eh?

The state’s Plastic Card Security Act would set the following:

The law says that any company that suffers a data breach and is shown to have stored prohibited card data will have to reimburse banks for the cost of blocking the exposed cards and issuing new ones.

Companies that handle fewer than 20,000 payment card transactions yearly are exempted.

The act outlaws the post-transaction storage of data prohibited by the PCI DSS, but PIN data can be stored for 48 hours for debit card transactions.

A Harvard law blog points out that:

The state already has a data breach notification law, similar to those now spreading through state legislatures like wildfire.

The law does not mention PCI, but is strongly based on it. You will note that this law now enables the cardholder to see direct damages against a company that improperly discloses their credit card data.

How will this change PCI? It will not. The merchant still has an obligation to their acquirer to validate compliance. This new law is simply a new avenue for consumers and consumer advocacy groups to pursue direct damages from the merchant. It greases the skids for future lawsuits.

Popularity: 33% [?]

There is a lot of debate going on in the legal courthouses right now about FACTA and how it applies to identity theft. (Some precedent here.) So what is FACTA and how does it apply to PCI compliance?

Well, FACTA is not the Luigi Facta, the Italian politician and journalist. It is the Fair and Accurate Credit Transactions Act (FACTA). Most people know of FACTA in that it entitles them to a free copy of their credit report if they are ever denied credit for any reason. It also enables them to put a fraud warning on their credit account if they feel they are a victim of identity theft.

I want to stop here and remind everyone that credit card theft has NOTHING to do with identity theft. To say it is would be the equivalent of saying that by stealing cash from your wallet one could then re-create your monthly paycheck. Identity theft means stealing the basic building blocks that can be used to create more credit, debt, and identification sources. Examples would be stealing someones social security number, birth certificate, or other ID. Stealing an omelet does not enable me to make eggs!

But, there is another side of the FACTA law that addresses credit card security.

The FTC’s latest FACTA rule requires any business “that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose” to “properly dispose of such information or compilation.” Both FACTA and the new rule are supposed to cut down on the incidences of identity theft by, among other methods, restricting the ability of thieves to go “dumpster diving” for valuable consumer information contained in discarded business records.

According to the Privacy Rights Clearinghouse:

FACTA says credit and debit card receipts may not include more than the last five digits of the card number. Nor may the card’s expiration date be printed on the cardholder’s receipt.However, the effective date of this provision is a long way off, and there are a couple of loopholes:

• This section does not apply to receipts for which the sole means of recording a credit or debt card number is by handwriting or by an imprint or copy of the card.
• For machines in use before January 1, 2005, the merchant has three (3) years to comply.
• For machines in use after January 1, 2005, the merchant has one (1) year to comply.

So what do we do now? Well, the consumer sue the merchants, who in turn sue the POS vendors. When the reality of the matter is that monetary loss due to thrown out credit card numbers come no where near the numbers and actionable-volume seen in cases such as the TJX breach. How many dumpsters would you have to dive into to obtain (and then manually enter) the 40 million card numbers rumored to be compromised as part of the TJX breach? Why would any self respecting hacker dive into a dumpster when they can compromise a non-compliant merchant or service provider?

And, please oh please, do not label credit card theft as identity theft. It is nothing of the sort. *sigh*

Popularity: 29% [?]

I’m late to the news but catching up on events. Everyone including ComputerWorld, nCircle’s 360 blog, and James DeLuccia’s PCI blog have talked about it.

Here’s the link to the Texas state bill (HB3222 and full text) and the GardianEdge Breach Disclosure Law Locater.

Read their analysis. This bill is on the heals of national data privacy legislation to protect personally identifiable information (PII).

Update: I was told today that this law may die a slow death…

Popularity: 36% [?]