I just participated in a SANS webcast on payment data security law. I made at least one mistake in describing Minnesota's HF 1758 and California's pending AB 779 (new legislation forbidding merchants from storing certain payment data). One or two people asked questions about the storage of sensitive data such as a credit card security code before a merchant recieves bank authorization to process a transaction. I believe I said that such storage is not permitted under HF 1758 and AB 779. I was wrong. I have re-read those bills. They only forbid the storage of certain sensitive data such as credit card security codes after authorization is recieved.
Thus, it appears that under HF 1758 and AB 779 a merchant could store credit card security codes for a time before seeking authorization.
[As I emphasized in the webcast, I never give legal advice in public statements and presentations. If you need legal advice, you should talk to a lawyer and not rely on my public statements.]
These are new laws, and my interpretations of them could be wrong. If anyone sees I have made a mistake in this blog, in the webcast or in another venue, please let me know. I am eagar to learn.