Lawmakers to Industry: Self-Regulate or Be Regulated

The failure of PCI to prevent the TJX breach and other high-profile security debacles may prompt federal and state legislators to take action.

Avoiding mandatory and punitive government regulations has always been a part of industry’s attempt at security self-regulation. The Payment Card Industry Data Security Standard (PCI) was intended to ensure the integrity and confidentiality of electronic transactions, which pretty much covers any retail credit or bank card payment.

PCI, however, wasn’t enforced or taken seriously enough to have prevented the TJX fiasco that allowed the compromise of more than 94 million credit card and individual customer records.

Disgruntled consumers are turning to lawmakers to enact laws designed to protect their identities. This could mean that retailers will have to contend with government regulations on top of the PCI standard.

While there are reports of federal legislation in this arena, no bills have been introduced in Congress requiring credit card processors to bolster security. State legislators, on the other hand, have been busy in response to TJX and numerous other security breaches. The following are examples of state-level data protection legislation that has been introduced during the past year:

• The Minnesota Plastic Card Security Act, the first such state-level law enacted, prohibits merchants that accept payment cards from retaining Track 2 data, CVV2 data and personal identification numbers (PINs), and requires them to reimburse banks and credit unions if they store such information and the data is compromised.
• Connecticut , Illinois and Massachusetts are considering legislation that would make merchants responsible for fraud-related losses—including the cost to banks to reissue credit cards—incurred as a result of a security breach.
• California introduced a bill similar to the Minnesotalaw, but Gov. Arnold Schwarzenegger vetoed the bill because it would be a burden on small businesses. Sacramentoinsiders expect lawmakers to introduce the proposal again this year.
• Texas is considering legislation mandating that merchants comply with PCI standards. The proposed law would make violators responsible for reimbursing banks and financial institutions for the cost of reissuing credit cards in the event of a breach.

Some security executives believe that the passing of a law on such matters in a large enough state would have a profound effect on PCI compliance and security practices throughout the retail industry.

“It only takes one of those passing in a large state, say Californiaor New York, to generate a sea change in the industry,” says Michael Barrett, chief information security officer at PayPal. “Changing the liability structure is something most general counsels’ offices simply won’t let corporate management teams ignore.”