Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

Schwarzenegger Terminates CA Retail Data Security Law

Minnesota remains only state to outlaw retention of credit card data

Governor Arnold Schwarzenegger Saturday put the kibosh on California's bid to become the second state in the U.S. to pass a law forcing retailers to discontinue the practice of retaining customer credit card data.

The bill would have banned merchants from collecting sensitive consumer data unless they had a data retention policy. Even then, they would be severely limited on what information they could collect, and how long they could retain it. The bill also would have made merchants liable for reimbursement of some recovery costs if customers' data was stolen from them.

The state of Minnesota earlier this year passed a law that essentially outlaws the retention of credit card data for more than 48 hours. By that law, the merchant becomes liable for some damages if customer credit data is held longer than 48 hours and then is lost via a security breach. Those damages could include costs to the card issuer, such as banks, which have footed most of the bill for previous retail breaches, including the one that occurred at TJX Companies. (See Many Retailers Will Not Make PCI Compliance Deadline.)

Experts say the California bill was more nuanced, and allowed merchants to escape liability if they held to a number of specific security guidelines. (See TJX Breach Skewers Customers, Banks and NAC: Can't Get No Satisfaction.)

But Governor Schwarzenegger said the compliance requirements are too stiff for small businesses, which have lobbied against the new law. The law also could conflict with industry standards such as the Payment Card Industry's Data Security Standard, he said. While the California legislature considers whether it has enough votes to override the veto, the governor invited the lawmakers to submit a reworked version of the bill.

Legal experts generally agreed with Schwarzenegger that the language of the California bill is problematic and leaves some unanswered questions about how it will be enforced.

"If a merchant commits even one tiny transgression -- even one unconnected with any actual break-in -- then that merchant is ineligible to avoid liability for card replacement costs when a break-in does occur," noted Benjamin Wright, an expert in computer law, in his blog following the bill's passage. "This scheme for imposing liability does not seem fair or rational. It requires perfection."

The new laws could also put a heavy burden on law enforcement and court systems, which would be tasked with somehow monitoring the compliance of retail institutions and prosecuting the offenders, experts noted. Some 200 merchants already have been sued for violation of the Fair and Accurate Credit Transactions Act, which requires credit card handlers to truncate all credit information so that only the last few numbers of an account can be read, notes Deborah Thoren-Peden, an attorney at Pillsbury, Winthrop, Shaw, and Pittman.

Some critics have also said that the new laws are redundant with regulations laid out by the credit card industry under PCI. David Taylor, president of the The Payment Card Industry Security Vendor Alliance (PCI SVA) and an executive at Protegrity Corp. , says most PCI auditors and vendors welcome the attention created by the new legislation, but they wonder how it will be enforced.

"The question is: 'Who's going to be in the merchant's face every day to see whether they are in compliance, and what rules of compliance will they be held to?'" Taylor wonders. Minnesota's law doesn't lay out the requirements for compliance, where the PCI regulations are very detailed and specific, he notes.

"In the end, are merchants going to see a government auditor every Monday and a PCI auditor every Thursday?" Taylor asks. "I'm not sure that the government is staffed for that sort of monitoring." Minnesota's law also isn't clear on how to handle common retail practices, such as automated monthly billing and customer purchase analysis, which may require the use of customer data for a period of more than 48 hours, he notes.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27670
PUBLISHED: 2021-02-25
Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter.
CVE-2021-27671
PUBLISHED: 2021-02-25
An issue was discovered in the comrak crate before 0.9.1 for Rust. XSS can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing (for example) Data: to be used in an attack.
CVE-2020-9051
PUBLISHED: 2021-02-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.
CVE-2020-9052
PUBLISHED: 2021-02-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.
CVE-2020-9053
PUBLISHED: 2021-02-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.