The credit card industry has been trying to force stronger data privacy rules onto the banking and retail sectors for more than a year. Now state legislatures are getting into the act.

A California bill forcing merchants to comply with key elements of the Payment Card Industry Data Security Standard is a governor’s signature away from becoming law. PCI standards already are the law in Minnesota, which passed the nation’s first such statute in May. And with no end in sight to headline-grabbing stories of identity theft, compliance officers can expect more states to follow suit.

Credit card companies—primarily Visa, Mastercard, and ...