The credit card industry has been trying to force stronger data privacy rules onto the banking and retail sectors for more than a year. Now state legislatures are getting into the act.
A California bill forcing merchants to comply with key elements of the Payment Card Industry Data Security Standard is a governor’s signature away from becoming law. PCI standards already are the law in Minnesota, which passed the nation’s first such statute in May. And with no end in sight to headline-grabbing stories of identity theft, compliance officers can expect more states to follow suit.
Credit card companies—primarily Visa, Mastercard, and American Express—have been pressuring merchants since 2005 to adopt the PCI standard, a set of IT controls the credit card industry developed to protect consumer information. The standard went into effect Sept. 30, with the credit card companies threatening stiff fines to any merchant or bank not in compliance. Legions of businesses haven’t complied anyway.
Now, however, state legislatures eager to do something about identity theft are using the PCI standard for their own legislation. The California legislation, for example, says merchants failing to demonstrate compliance with certain parts of the PCI standard must reimburse banks and credit unions for costs associated with issuing new credit cards to their customers.
The California bill does not explicitly mention PCI (neither does the Minnesota law) but the regulatory heritage is clear.
“What we did was take concepts from PCI and put them into Section 1 of the bill,” says Ron Fong, chief lobbyist for the California Credit Union League. That move was intended to blunt criticism that the state was codifying technologies that could become obsolete, Fong says.
Putting a legislative stamp on a credit-card industry standard is quite controversial. Backers say such laws are a matter of consumer protection and aligning cost and risk. Opponents (primarily merchants faced with costly upgrades to their IT systems) say existing law protects consumers and that states should leave the matter to credit card companies, banks, and merchants.
If Gov. Arnold Schwarzenegger follows the will of the California State Assembly—which passed A.B. 779 with large majorities and sent the bill to his desk Sept. 18—other states could well follow suit. That is exactly what happened in 2002 when California became the first state in the nation to require companies to notify consumers of data thefts; since then, 34 states have passed similar laws, according to the National Conference of State Legislatures.
“I think a lot of this relates back to the concerns that legislators’ constituents are having with identity theft and personally identifying information,” says Heather Morton, a legislative analyst with the National Conference of State Legislatures.
Texas was on track to have a PCI-related law before California, but its legislative session expired in May before lawmakers could put the final touches on a bill. Still, a preliminary bill adopting PCI standards passed the lower chamber 139-0.
Winter Propasio, spokeswoman for the Texas Credit Union League, says news of the TJX Cos. data theft in January (records from 45.6 million cardholders were compromised) led to the bill’s breezing through the state House of Representatives.
“Our credit unions started to have some serious numbers of cards having to be replaced,” she says, costing an estimated $15 to $25 per card.
According to Propasio, the idea behind such legislation is simple: If a merchant’s poor IT systems are responsible for a data breach, then the merchant should pay for issuing new credit cards. If merchants prove they are following the PCI standard, the banks and credit unions will pay for the new cards, as they do today.
PCI Compliance Battles
In addition to requiring commonsense IT security practices related to access control and network security, the PCI standard forbids merchants from storing magnetic-stripe data such as credit card numbers, expiration dates, and security codes. It also requires encryption of certain card data whenever stored, processed, or transmitted.
Both the Minnesota law and the California bill emphasize what Eduardo Perez, vice president for payment system risk and compliance at Visa, has called PCI’s key message: “Don’t store it if you don’t need it.”
Merchants who store card verification codes, PIN numbers, or payment verification codes, or who send payment-related data on an open network without encryption, would be liable for card-reissuing costs under the California bill.
Unto itself, PCI compliance is nothing new to merchants. Visa International announced last December that it would force PCI compliance on 1,200 of its biggest merchants by the end of this year. It is pushing action by offering $50,000 bonuses or threatening $25,000 daily fines for banks and card processors handling merchant credit card business. Those “Level 1” merchants, who handle millions of card transactions annually, largely are already PCI compliant and don’t seem to have problems with it (at least, none they utter publicly).
“A lot of this relates back to the concerns that legislators’ constituents are having with identity theft and personally identifying information.”
— Heather Morton,
But legislating PCI standards is another matter, many of them say. Nancy Shelledy, vice president of labor and employment for Embarq Holdings Corp., a $6 billion local telecommunications company, says she worries about the trend of pushing “all the exposure and liability that comes from the misuse of credit cards” onto merchants.
“I’m not sure this is a government issue anyways; I think this is a marketplace issue,” Shelledy says.
Avivah Litan, an analyst at the Gartner Group, agrees.
“I think it’s totally outrageous, frankly, to put in government statute any form of legislation on this issue, whether state or federal,” Litan says. “It’s just symbolic to me how strong the banking lobby can be.”
Litan says banks and credit unions are already reimbursed for direct credit card fraud costs and that fraud risk is already reflected in fees charged to retailers. PCI legislation just continues a trend of tilting the playing field against retailers, she says.
The National Retail Federation is also critical. Elizabeth Oesterle, a lobbyist with the group, says the real reason for PCI legislation is that credit unions have higher card-issuing costs than many banks. Visa and Mastercard will not reimburse credit unions beyond market rates for issuing new cards, “So this is their opportunity to go after merchants directly,” she says.
Oesterle contends that PCI-related legislation has little to do with consumer issues of identity theft and credit card fraud. “The consumer is completely taken care of anyway,” she says, since federal law caps the public’s liability at only $50.
Rather, she says, it is a business-to-business issue—and passage of A.B. 779 in California could reverberate widely. “The problem with these kinds of bills is that if it happens in California, it’s going to go national.”
Minnesota’s Plastic Card Security Act went into effect Aug. 1, with noncompliant merchants on the hook for card-reimbursement costs effective Aug. 1, 2008. Mara Humphrey, director of governmental affairs at the Minnesota Credit Union Network, which backed the new Minnesota law, says she has seen “a lot of interest from other states who are interested in doing something similar.”
But Humphrey also notes that similar laws failed to pass in Maine, Connecticut, New York, and Massachusetts.
“I think the dynamics of each state are very different,” she says. “From our perspective, we hope other states are successful.”