Lawmakers to Industry: Self-Regulate or Be Regulated
By Ericka Chickowski | Posted 2008-01-30

The failure of PCI to prevent the TJX breach and other high-profile security debacles may prompt federal and state legislators to take action.
Avoiding mandatory and punitive government regulations has always been a part of industry’s attempt at security self-regulation. The Payment Card Industry Data Security Standard (PCI) was intended to ensure the integrity and confidentiality of electronic transactions, which pretty much covers any retail credit or bank card payment.
PCI, however, wasn’t enforced or taken seriously enough to have prevented the
Disgruntled consumers are turning to lawmakers to enact laws designed to protect their identities. This could mean that retailers will have to contend with government regulations on top of the PCI standard.
While there are reports of federal legislation in this arena, no bills have been introduced in Congress requiring credit card processors to bolster security. State legislators, on the other hand, have been busy in response to
-
The Minnesota Plastic Card Security Act, the first such state-level law enacted, prohibits merchants that accept payment cards from retaining Track 2 data,
CVV 2 data and personal identification numbers (PINs), and requires them to reimburse banks and credit unions if they store such information and the data is compromised. -
Connecticut ,
Illinois Massachusetts -
California introduced a bill similar to the
Minnesota Sacramento -
Texas is considering legislation mandating that merchants comply with PCI standards. The proposed law would make violators responsible for reimbursing banks and financial institutions for the cost of reissuing credit cards in the event of a breach.
Some security executives believe that the passing of a law on such matters in a large enough state would have a profound effect on PCI compliance and security practices throughout the retail industry.
“It only takes one of those passing in a large state, say