Merchants Face New Liability for Data Security Breaches
The efforts by payment card merchants to comply with the PCI Data Security Standards developed by major payment card networks to address the increased risk of data security breaches have taken on additional import. Minnesota is the first state to enact legislation codifying one of the twelve PCI Security Standards security requirements. The Plastic Card Security Act is effective August 1, 2007, and prohibits merchants who do business with Minnesota residents from storing “sensitive authentication data,” which includes magnetic stripe data, card validation codes, PINs and encrypted PIN blocks. More significantly, effective August 1, 2008, merchants face strict liability to financial institutions for costs incurred in connection with a data security breach.
The prohibition against storage of the sensitive authentication data begins subsequent to the authorization of the transaction, or subsequent to 48 hours after authorization of the transaction in the case of a PIN debit transaction. The law also extends liability to the merchant for a failure of a merchant’s service provider to comply with the requirements.
The Act applies to merchants who conduct business with Minnesota residents, even if they are not physically located in the state. The question of what activities constitute conducting business within the state is fact specific. An isolated transaction will not typically constitute “doing business,” but in light of this new law, it will be important for a merchant to continually assess the extent of its business with Minnesota residents.
Other states are lining up to join Minnesota in what promises to be a new wave of legislation aimed at preventing data security breaches and identity theft. Similar bills are pending in the legislatures of California, Connecticut, Illinois, Massachusetts, and Texas.
Compliance with the PCI Security Standards will reduce substantially the exposure to merchants associated with this new legislation.