Merchants and processors that do business with the residents of Washington State will have to beware of HB1140 which amends Washington’s breach notice law. Without going into the details of this legislation the intent was to encourage financial instituations to re-issue credit and debit cards to consumers when appropriate upon the recognition of possible data breach and fraudulent activities. The encouragement comes in the form of permission for the financial institutions or issuing banks of the credit/debit cards to recoup the data breach costs incurred as a result of those businesses or processors who were negligent in maintaining or transmitting the card holder data. It’s estimated that the overhead cost to the bank is around twenty dollars for each re-issued card.
The PCI Party started with the state of Nevada incorporating into legislation that all merchants must comply with PCI-DSS. What was a business obligation between the merchant and the card brand for the privledge of taking payment via credit/debit cards is now converted into a law. The Washington version has some stipulations and takes a unique angle in going beyond identity theft protection by providing for cost recouperation of banks for re-issuing credit/debit cards for Washington residents. I see this as a direct reaction to the aftermath of the Heartland Payment processor breach.
Two things merchants and processors can do to protect themselves according to HB1104. Processors, businesses, and vendors are not liable if (a) the account information was encrypted at the time of breach, or (b) the processor, business, or vendor was certified compliant with the payment card industry data security standards (PCI-DSS) adopted by the PCI Security Standards Council, and in force at the time of the breach.
However, here is where the legislation goes awry. The processor, business or vendor will be considered compliant, if its compliance was validated by an annual security assessment, and if this assessment took place no more than one year prior to the time of the breach. Uhmmm wasn’t this the exact status that Heartland had at the time of the breach? Furthermore it states for the purposes of the bill that the assessment of compliance is nonrevocable in determining liability. PCI Compliance is only a point in time assessment that the controls and requirements have been met in the eyes of an assessor. Even the PCI Security Standards Council revoked the PCI compliance of Heartland Payment Systems and forced them to do a re-assessment in order to be re-listed as a processor in good standing.
What should a merchant do? Keep calm and carry on. PCI-DSS Compliance was designed and should be used as a means to baseline to provide reasonable security with a risk based approach for an industry where there had been some lapse in consistent security behavior. Stive for a strong security discipline and strategy and in doing so PCI Compliance will be met.
Note to states, don’t join the PCI party in legislation. Your consitituents both merchants and consumers will be better off in the long run if there were a national privacy and data protection standard that they can all adhere to consistently.