PCI and other breach laws under assault

The retailers are finally fighting back.

Yesterday the National Retail Federation publicly blasted the Payment Card Industry Data Security Standard, issuing a statement that pushes the responsibility for the storage of sensitive customer data back on the card issuers themselves, the very same authors and enforcers of the mandate.

For those of you unfamiliar with PCI, it’s the data-handling regulation cooked-up by the financial institutions that issue credit and debit cards (AMEX, Visa and MasterCard for starters) that requires anyone who processes their plastic to get their IT security systems up-to-snuff to prevent more leakage incidents like the one experienced by TJX Companies.

“With this letter, we are officially putting the credit card industry on notice,” said NRF CIO David Hogan in the missive. “Instead of making the industry jump through hoops to create an impenetrable fortress, retailers want to eliminate the incentive for hackers to break into their systems in the first place.”

According to NRF, credit card companies typically require retailers to store credit card numbers anywhere from one year to 18 months to satisfy ‘card company retrieval requests.”

If retailers were given the choice to end the process of storing such customer data, they could lower their own risk and ensure greater consumer security, according to Hogan.

Strong words, but one has to wonder why the NRF hasn’t been making noise about PCI sooner.

After all, the deadline for retailers to become PCI DSS compliant was the end of last week, and the regulation has been out there for almost years. The PCI Security Standards Council has been working on the mandate since forming in late 2004.

And wasn’t it just a few years ago — before ChoicePoint, TJX and everyone else — that we were reading about all the ways that retailers were going to use the details stored in their CRM systems to create detailed electronic profiles of us all?

It does seem like the data breach issue has forced a turnabout in perceptions of data gathering and mining — PCI or not.

NRF says further that credit card companies and their banks should provide merchants with the option of keeping no more than authorization code data provided at the time of a transaction along with a “truncated receipt,” versus storing the card info.

“If all merchants took advantage of this option, credit card companies and their member banks would be the only ones with large caches of data on hand, and could keep and protect their card numbers in whatever manner they wished,” said Hogan. “The bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them.”

Is it all too little too late? Lucky for NRF, it would appear that the ship hasn’t truly sailed on PCI.

According to some experts, many retailers and card processors are still way behind in terms of getting in line with the regulation from a technological standpoint — with some companies apparently willing to take a wait-and-see approach to dealing with potential audits and fines.

The issue of data-handling legislation is becoming decidedly more controversial nationwide. However, while a long list of related bills sits on Capitol Hill waiting to pass through various committees and in various states of progress, states continue to push forward.

As I noted in a blog two weeks ago, California is on the cusp of signing a far more aggressive piece of legislation into affect than the state’s oft-referenced 1386 breach notification bill, which forced companies to begin reporting their data incidents publicly. Almost 40 other states have subsequently passed similar legislation.

The new bill, Calif. AB 779 — which would require merchants who experience data incidents to pay back any expenses incurred by banks and card companies for re-issuing cards to affected customers — has already passed through the state’s legislature and is sitting on Gov. Schwarzenegger’s desk awaiting approval — which many have said it will receive.

Retailers in the state are predictably up in arms over the bill.

Benjamin Wright, author of several books on technology law, including “The Law of Electronic Commerce” and “Business Law and Computer Security,” responded to my blog by pointing out that many retailers feel the language of 779 is ambiguous and will place to much of a burden on merchants.

Wright said in his own blog that the law would also make it nearly impossible for e-commerce companies to do business processing credit cards if it is translated in a certain manner.

“This scheme for imposing liability does not seem fair or rational,” said Wright. “It requires perfection. Few organizations can be perfect in avoiding the data security transgressions identified by the legislatures. But many organizations might do a reasonably good job of avoiding those transagressions. Yet the legislatures offer no reward for being reasonably good. They only reward perfection.”

On Capitol Hill, lobbyists say that interest in the dozen-odd data measures sitting in various committees continues to wax and wane.

“One month people show more interest, but then it lags again,” said one Washington-based IT and security industry lobbyist who asked not to be named. “The committees seem to make progress but then they get distracted by other things. It’s one of those things where a lot of these bills might get done this session, or maybe they won’t get done at all.”

The lobbyist said that there are a variety of sticking points for the individual pieces of legislature, from the wording of the measures, to debate over to what extent national laws need to pre-empt exiting state measures.

With a bill sitting in the Senate’s Judiciary Committee that includes penalties including 5 years in jail for those who are responsible for failing to prevent breaches, it would seem the debate over credit card customer data is only just beginning to get interesting.

Stay tuned.