Archives by Month

Upcoming Events

Jul 9th 2008

41st Annual Conference & Exhibition

Jul 27th - Jul 31st 2008

TPI East 2008

Aug 3rd - Aug 8th 2008

CUNA Economics & Investments Conference

Sep 8th - Sep 9th 2008

CUNA Payment Systems Conference

Sep 8th - Sep 9th 2008

2008 RFID World

View All Events »

September 11, 2007 | written by Rachel Kim

When it comes to data privacy, California Consumers sure have a lot of Clout

California bill AB 779 was passed in the Senate late last week, and is currently awaiting final approval by the Assembly.

The most touchy part of this legislation is that the breached organization would be held responsible for notification and card blockage/reissuance costs of the issuer. Similar bills have sprouted up in other states, primarily spurred on by the infamous TJX breach and by issuers claiming that it isn’t fair for them to cover the costs due to a security breach that they didn’t cause.

What I find particularly interesting is the fact that this particular bill actually codifies the PCI DSS, prohibiting retailers and other merchants from storing sensitive authentication data, in addition to requiring merchants to use strong encryption and access controls. What I’d like to know is whether or not a PCI compliant merchant is provided with safe harbor—meaning that if they are indeed compliant with the PCI standards but experience a security breach, they will not have to cover issuer costs of notifying customers and reissuing cards. This has not yet been clarified. In my opinion, a PCI-compliant merchant should NOT have to cover these costs, as they’ve been doing everything they can to protect customer data (after all, the PCI standards are data security “best practices,” are they not?).

Our upcoming Javelin report on PCI compliance will delve further into this legislative quandary…

Posted in Blog

Comments #1 | September 20th, 2007 Mary Monahan wrote:

With both the Assembly and Senate (73-0)passing this bill unanimously, this bill is sitting on Gov. Schwarzenegger’s desk awaiting his signature and with so much bipartisan support, I don’t see how he can do anything but sign it. AB 779 seems like a done deal-as we saw in our survey on Data Breaches, consumers think merchants are the weak link in data security and this is coming back to hurt retailers in this pending consumer legislation.

Comments #2 | September 22nd, 2007 Ben Wright wrote:

AB 779 expects more of merchants than the PCI DSS does. For example, the PCI places a number of complex requirements on merchants, but then in Appendix B is says many of these requirements are excused if the merchant has “compensating controls.” Thus, true compliance with the PCI is a ticky topic. But AB 779 is much more direct and draconian in its impostion of rules on merchants. It does not recognize nuances like compensating controls. —Ben Wright, hack-igations.com