Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


Schwarzenegger Terminates CA Retail Data Security Law

Minnesota remains only state to outlaw retention of credit card data

Governor Arnold Schwarzenegger Saturday put the kibosh on California's bid to become the second state in the U.S. to pass a law forcing retailers to discontinue the practice of retaining customer credit card data.

The bill would have banned merchants from collecting sensitive consumer data unless they had a data retention policy. Even then, they would be severely limited on what information they could collect, and how long they could retain it. The bill also would have made merchants liable for reimbursement of some recovery costs if customers' data was stolen from them.

The state of Minnesota earlier this year passed a law that essentially outlaws the retention of credit card data for more than 48 hours. By that law, the merchant becomes liable for some damages if customer credit data is held longer than 48 hours and then is lost via a security breach. Those damages could include costs to the card issuer, such as banks, which have footed most of the bill for previous retail breaches, including the one that occurred at TJX Companies. (See Many Retailers Will Not Make PCI Compliance Deadline.)

Experts say the California bill was more nuanced, and allowed merchants to escape liability if they held to a number of specific security guidelines. (See TJX Breach Skewers Customers, Banks and NAC: Can't Get No Satisfaction.)

But Governor Schwarzenegger said the compliance requirements are too stiff for small businesses, which have lobbied against the new law. The law also could conflict with industry standards such as the Payment Card Industry's Data Security Standard, he said. While the California legislature considers whether it has enough votes to override the veto, the governor invited the lawmakers to submit a reworked version of the bill.

Legal experts generally agreed with Schwarzenegger that the language of the California bill is problematic and leaves some unanswered questions about how it will be enforced.

"If a merchant commits even one tiny transgression -- even one unconnected with any actual break-in -- then that merchant is ineligible to avoid liability for card replacement costs when a break-in does occur," noted Benjamin Wright, an expert in computer law, in his blog following the bill's passage. "This scheme for imposing liability does not seem fair or rational. It requires perfection."

The new laws could also put a heavy burden on law enforcement and court systems, which would be tasked with somehow monitoring the compliance of retail institutions and prosecuting the offenders, experts noted. Some 200 merchants already have been sued for violation of the Fair and Accurate Credit Transactions Act, which requires credit card handlers to truncate all credit information so that only the last few numbers of an account can be read, notes Deborah Thoren-Peden, an attorney at Pillsbury, Winthrop, Shaw, and Pittman.

Some critics have also said that the new laws are redundant with regulations laid out by the credit card industry under PCI. David Taylor, president of the The Payment Card Industry Security Vendor Alliance (PCI SVA) and an executive at Protegrity Corp. , says most PCI auditors and vendors welcome the attention created by the new legislation, but they wonder how it will be enforced.

"The question is: 'Who's going to be in the merchant's face every day to see whether they are in compliance, and what rules of compliance will they be held to?'" Taylor wonders. Minnesota's law doesn't lay out the requirements for compliance, where the PCI regulations are very detailed and specific, he notes.

"In the end, are merchants going to see a government auditor every Monday and a PCI auditor every Thursday?" Taylor asks. "I'm not sure that the government is staffed for that sort of monitoring." Minnesota's law also isn't clear on how to handle common retail practices, such as automated monthly billing and customer purchase analysis, which may require the use of customer data for a period of more than 48 hours, he notes.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research.
PUBLISHED: 2021-05-18
Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges. This issue affects Bitdefender GravityZone Business S...
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."