Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


Schwarzenegger Terminates CA Retail Data Security Law

Minnesota remains only state to outlaw retention of credit card data

Governor Arnold Schwarzenegger Saturday put the kibosh on California's bid to become the second state in the U.S. to pass a law forcing retailers to discontinue the practice of retaining customer credit card data.

The bill would have banned merchants from collecting sensitive consumer data unless they had a data retention policy. Even then, they would be severely limited on what information they could collect, and how long they could retain it. The bill also would have made merchants liable for reimbursement of some recovery costs if customers' data was stolen from them.

The state of Minnesota earlier this year passed a law that essentially outlaws the retention of credit card data for more than 48 hours. By that law, the merchant becomes liable for some damages if customer credit data is held longer than 48 hours and then is lost via a security breach. Those damages could include costs to the card issuer, such as banks, which have footed most of the bill for previous retail breaches, including the one that occurred at TJX Companies. (See Many Retailers Will Not Make PCI Compliance Deadline.)

Experts say the California bill was more nuanced, and allowed merchants to escape liability if they held to a number of specific security guidelines. (See TJX Breach Skewers Customers, Banks and NAC: Can't Get No Satisfaction.)

But Governor Schwarzenegger said the compliance requirements are too stiff for small businesses, which have lobbied against the new law. The law also could conflict with industry standards such as the Payment Card Industry's Data Security Standard, he said. While the California legislature considers whether it has enough votes to override the veto, the governor invited the lawmakers to submit a reworked version of the bill.

Legal experts generally agreed with Schwarzenegger that the language of the California bill is problematic and leaves some unanswered questions about how it will be enforced.

"If a merchant commits even one tiny transgression -- even one unconnected with any actual break-in -- then that merchant is ineligible to avoid liability for card replacement costs when a break-in does occur," noted Benjamin Wright, an expert in computer law, in his blog following the bill's passage. "This scheme for imposing liability does not seem fair or rational. It requires perfection."

The new laws could also put a heavy burden on law enforcement and court systems, which would be tasked with somehow monitoring the compliance of retail institutions and prosecuting the offenders, experts noted. Some 200 merchants already have been sued for violation of the Fair and Accurate Credit Transactions Act, which requires credit card handlers to truncate all credit information so that only the last few numbers of an account can be read, notes Deborah Thoren-Peden, an attorney at Pillsbury, Winthrop, Shaw, and Pittman.

Some critics have also said that the new laws are redundant with regulations laid out by the credit card industry under PCI. David Taylor, president of the The Payment Card Industry Security Vendor Alliance (PCI SVA) and an executive at Protegrity Corp. , says most PCI auditors and vendors welcome the attention created by the new legislation, but they wonder how it will be enforced.

"The question is: 'Who's going to be in the merchant's face every day to see whether they are in compliance, and what rules of compliance will they be held to?'" Taylor wonders. Minnesota's law doesn't lay out the requirements for compliance, where the PCI regulations are very detailed and specific, he notes.

"In the end, are merchants going to see a government auditor every Monday and a PCI auditor every Thursday?" Taylor asks. "I'm not sure that the government is staffed for that sort of monitoring." Minnesota's law also isn't clear on how to handle common retail practices, such as automated monthly billing and customer purchase analysis, which may require the use of customer data for a period of more than 48 hours, he notes.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
PUBLISHED: 2019-12-05
Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
PUBLISHED: 2019-12-05
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
PUBLISHED: 2019-12-05
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...