California is ready to adopt new legislation regulating the management of credit card data by retail merchants. The legislature has passed Assembly Bill (AB) 779, the so-called Consumer Data Protection Act, and submitted it to the governor for signature. Proponents believe Governor Schwarzenegger will sign the legislation. [Update: He vetoed the bill. But this discussion is still relevant to those thinking about how data security law should and should not be written.]
Similar to Minnesota's HF 1758, AB 779 contemplates that a merchant will reimburse credit card issuers for costs they incur replacing cards after the merchant suffers a data security breach.
Under Minnesota's HF 1758, the reimbursement requirement only applies if the merchant commits the "transgression" of storing card security data or full magnetic stripe data longer than 48 hours after transactions are authorized.
Compare California’s AB 779. Under 779, the merchant can be excused from the reimbursement requirement if the merchant avoids certain "transgressions" such as storing full track data, storing payment verification codes, transmitting unencrypted payment data over the Internet and storing payment information without a proper data retention policy.
Hence, HF 1758 and AB 779 are similar in the way they impose liability. Both laws effectively say a merchant that suffers a data breach must reimburse card issuer costs if the merchant has committed any of the identified transgressions. Further, both laws require reimbursement even if the breach is unrelated to the transgressions.
In other words, this is what the literal words of the Minnesota and California legislatures seem to mean: If a merchant commits even one tiny transgression -- even one unconnected with any actual break-in -- then that merchant is ineligible to avoid liability for card replacement costs when a break-in does occur.
Analysis: This scheme for imposing liability does not seem fair or rational. It requires perfection. Few organizations can be perfect in avoiding the data security transgressions identified by the legislatures. But many organizations might do a reasonably good job of avoiding those transagressions. Yet the legislatures offer no reward for being reasonably good. They only reward perfection.
HF 1758 and pending AB 779 obvioiusly disfavor merchants. But merchants are not required to accept credit or debit cards. Further, the payment card industry is competitive. Thus, if a card issuer like American Express can invent a scheme that helps the merchant avoid hassles and liability arising under HF 1758 and AB 779, then it achieves competitive advantage over, say, Mastercard and Visa. Merchants might be persuaded to announce that they accept AmEx but not Mastercard and Visa. If AmEx invents a scheme that clearly reduces the merchant's risk, then merchants don't need insurance relative to AmEx transactions. In contrast, they would desire insurance for transactions (e.g., Mastercard and Visa) bearing higher risk on account of laws like 1758 and 779; insurance costs money and therefore may make the higher-risk transactions undesirable.
ReplyDeleteBen I must mention these are very good comments ,I am doing a analysis on AB 779 and have read you various comments across the web and found them very interesting and intelligent.
ReplyDeleteThanks for the kind words, Rahil.
ReplyDelete--Ben
Merchants are caught between a rock and a hard place. New laws like HF 1758 forbid them from storing certain payment data, but PCI requirement 3.1 recognizes they may need to store that data for business, legal or regulatory purposes. When auditors search for historical fraud, they need access to very detailed data records, including the kind of data records that HF 1758 outlaws.
ReplyDelete