Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


Schwarzenegger Terminates CA Retail Data Security Law

Minnesota remains only state to outlaw retention of credit card data

Governor Arnold Schwarzenegger Saturday put the kibosh on California's bid to become the second state in the U.S. to pass a law forcing retailers to discontinue the practice of retaining customer credit card data.

The bill would have banned merchants from collecting sensitive consumer data unless they had a data retention policy. Even then, they would be severely limited on what information they could collect, and how long they could retain it. The bill also would have made merchants liable for reimbursement of some recovery costs if customers' data was stolen from them.

The state of Minnesota earlier this year passed a law that essentially outlaws the retention of credit card data for more than 48 hours. By that law, the merchant becomes liable for some damages if customer credit data is held longer than 48 hours and then is lost via a security breach. Those damages could include costs to the card issuer, such as banks, which have footed most of the bill for previous retail breaches, including the one that occurred at TJX Companies. (See Many Retailers Will Not Make PCI Compliance Deadline.)

Experts say the California bill was more nuanced, and allowed merchants to escape liability if they held to a number of specific security guidelines. (See TJX Breach Skewers Customers, Banks and NAC: Can't Get No Satisfaction.)

But Governor Schwarzenegger said the compliance requirements are too stiff for small businesses, which have lobbied against the new law. The law also could conflict with industry standards such as the Payment Card Industry's Data Security Standard, he said. While the California legislature considers whether it has enough votes to override the veto, the governor invited the lawmakers to submit a reworked version of the bill.

Legal experts generally agreed with Schwarzenegger that the language of the California bill is problematic and leaves some unanswered questions about how it will be enforced.

"If a merchant commits even one tiny transgression -- even one unconnected with any actual break-in -- then that merchant is ineligible to avoid liability for card replacement costs when a break-in does occur," noted Benjamin Wright, an expert in computer law, in his blog following the bill's passage. "This scheme for imposing liability does not seem fair or rational. It requires perfection."

The new laws could also put a heavy burden on law enforcement and court systems, which would be tasked with somehow monitoring the compliance of retail institutions and prosecuting the offenders, experts noted. Some 200 merchants already have been sued for violation of the Fair and Accurate Credit Transactions Act, which requires credit card handlers to truncate all credit information so that only the last few numbers of an account can be read, notes Deborah Thoren-Peden, an attorney at Pillsbury, Winthrop, Shaw, and Pittman.

Some critics have also said that the new laws are redundant with regulations laid out by the credit card industry under PCI. David Taylor, president of the The Payment Card Industry Security Vendor Alliance (PCI SVA) and an executive at Protegrity Corp. , says most PCI auditors and vendors welcome the attention created by the new legislation, but they wonder how it will be enforced.

"The question is: 'Who's going to be in the merchant's face every day to see whether they are in compliance, and what rules of compliance will they be held to?'" Taylor wonders. Minnesota's law doesn't lay out the requirements for compliance, where the PCI regulations are very detailed and specific, he notes.

"In the end, are merchants going to see a government auditor every Monday and a PCI auditor every Thursday?" Taylor asks. "I'm not sure that the government is staffed for that sort of monitoring." Minnesota's law also isn't clear on how to handle common retail practices, such as automated monthly billing and customer purchase analysis, which may require the use of customer data for a period of more than 48 hours, he notes.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...