ST. PAUL, MN — Minnesota recently became the first state to turn a core requirement of the Payment Card Industry (PCI) Data Security Standard (DSS) into a law for all companies — including fitness clubs — that handle credit and debit card data.
Gov. Tim Pawlenty signed the Plastic Card Security Act into law in May. The law says that any company in Minnesota that suffers a data breach and is shown to have stored prohibited card data is liable and will have to reimburse banks for the cost of blocking the exposed cards and issuing new ones. Such companies are prohibited from retaining the full contents of a track of magnetic stripe data, the three- to four-digit security code on the back of the card by the signature block and any PIN verification code number. If a debit card with a PIN is used, a company is prohibited from retaining the data more than 48 hours after authorization of the transaction.
The security requirements go into effect Aug. 1. The liability provision of the Minnesota law applies to data breaches occurring after Aug. 1, 2008. The provision requires companies to reimburse the card-issuing financial institution for the “costs of reasonable actions” to both protect its cardholders' information and to continue to provide services to its cardholders after a breach.
Minnesota companies — including fitness clubs — that handle fewer than 20,000 payment card transactions yearly are exempted.
In Texas, the House of Representatives passed a bill in early May that would require companies to follow the PCI DSS, but the bill failed to make it through the Senate. Similar PCI bills to the ones in Minnesota and Texas have appeared in the legislatures in California, Connecticut, Illinois and Massachusetts.