The Payment Card Industry Data Security Standard (PCI DSS) being pushed by the major credit card companies has probably done a lot to stave off state and federally mandated controls for protecting customer credit and debit card data up to now. The big question as a new year begins, is for how much longer though?
More than two years after the PCI standard went into broad effect, data breaches involving payment card data continue unabated. Obviously it would have been unrealistic for anyone to have expected them to stop altogether just because of PCI. And it’s impossible to know how many compromises were averted because of the standard.
Even so, the number of data compromises involving payment card data being disclosed by businesses is only increasing, not decreasing. One reason is simply that state breach notification laws are forcing companies to disclose compromises that in the past they might not have. Another is the continuing lack of visible enforcement of PCI which has resulted in an environment where many companies, including large ones, are still not fully compliant with the mandate.
And that’s a problem for those hoping that a private industry initiative such as PCI alone will be enough to keep lawmakers at bay for much longer.
Already Massachusetts and Nevada have passed laws requiring companies to encrypt all sensitive customer data and implement measures for controlling access to it. The Massachusetts law, which seems to have a lot of people anxiously reviewing their security measures, was supposed to have gone into affect Jan 1 but has been pushed back  to May 1. Nevada’s law went into effect on October 1.
As far back as May 2007, Minnesota  passed a law known as the Plastic Card Security Act. Under the statute, companies that suffer data breaches and are found to have been storing prohibited credit or debit card data on their systems will have to reimburse banks and credit unions for the costs of blocking and reissuing cards. Attempts at passing similar legislation-most of which are sponsored by financial institutions–have so far failed in places such as California , Texas and elsewhere. But all its going to take is for another major retail breach or two for them to be revived.
The security requirements spelled out in these statutes are mostly the same as those mandated under PCI though they cover other data classes as well such as Social Security numbers and bank account information. The key difference is that the mandates in Massachusetts and elsewhere are coming from a government agency and carry the full authority of state law. Companies that suffer data breaches and are found to have been noncompliant with the regulations could find themselves exposed to greater legal and financial issues than the PCI standard generally provides for.
Here again, everything will depend on how vigorously these mandates are enforced. But it probably is going to be a whole lot riskier for companies to simply pretend like they are doing something, as at least a few appear to be doing, with PCI.