Archives: Plastic Card Protection Laws

Subscribe to Plastic Card Protection Laws RSS Feed

Point of Sale Data Collection Litigation – An Overview and Future Directions

California and 14 other states plus the District of Columbia have laws that restrict the collection of personal information at the point of sale when payment is by credit card. Unfortunately for retailers, the scope of prohibited conduct under these laws is not always clear. Complicating matters further, these laws were generally enacted in the … Continue Reading

California Supreme Court: Online Sales of Downloadable Products Not Covered by Song-Beverly Credit Card Act

The California Supreme Court ruled this week in a 4-3 decision that an online retailer may request personal information when selling a downloadable product.  See Apple, Inc. v. Superior Court, Case No. S199384 (Cal. Feb. 4, 2013). This decision, interpreting the Song-Beverly Credit Card Act of 1971, Cal. Civ. Code § 1747.08 (the “Credit Card … Continue Reading

Live from the IAPP Global Privacy Summit in Washington, DC, It’s Monday Afternoon

This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days. … Continue Reading

Nevada’s Security of Personal Information Law Post Four: Encryption and PCI Compliance Requirements

The following FAQs address the encryption and PCI compliance requirements of Nevada’s Security of Personal Information Law, which were added pursuant to a recent amendment to the law.  The rest of the FAQ is linked to here.… Continue Reading

FAQ on Nevada’s Security of Personal Information Law (NRS 603A)

InfoSecCompliance ("ISC") was recently asked by a prospective client to provide a summary of Nevada’s Security of Personal Information law (NRS 603A) and a recent amendment to the Security Law that incorporated the Payment Card Industry Data Security Standard ("PCI"). ISC decided to try something new and create a Frequently Asked Questions document around the … Continue Reading

Security Assessor Sued in CardSystems Breach: Merrick Bank v. Savvis

I had missed the original filing of this complaint, but have now been able to obtain a copy of it.  Essentially a lawsuit by a bank against Savvis for allegedly making a mistake in certifying CardSystems as CISP compliant.  The complaint alleges $16 milion in damages, which essentially are the amounts that Merrick (acquiring bank) … Continue Reading

Credit Card Theives So Good They Have Too Much Data…

Some interesting statistics from a new report from Verizon Business. The Washington Post security writer sums it up nicely in terms of the payment card data market: [Verizon] said it responded to at least 90 confirmed data breaches last year involving roughly 285 million consumer records, a number that exceeded the combined total number of … Continue Reading

Ruiz v. Gap: Increased Risk of ID Theft Not Damages

In a previous post this blog noted that a California Federal District Court denied a motion to dismiss a data breach negligence claim based on a lack of “damages.”  Despite the partial “victory,” the Court had also suggested that the damages issue might not survive a motion for summary judgment.  Well, the Court made its … Continue Reading

The New Path to PCI Liability: 3rd Party Beneficiary Theory

Merchants face a potentially huge liability if they suffer a security breach exposing payment card data. Issuing banks (those banks that issue credit cards to consumers) have filed lawsuits to recover reissuiance costs allegedly ranging from $20-$50 per card (multiplied by thousands or millions of cards depending on the magnitude of the breach). A recent … Continue Reading

The “Circle of Blame”

I prefer the “Chain of Blame” because of the better rhyme scheme… all kidding aside, Andrew Conry-Murray has done some good reporting on this story. One money quote: While PCI provides more concrete guidelines than, say, Sarbanes-Oxley, merchants are quick to complain that it’s both too specific and too vague. For instance, the standard requires … Continue Reading

Article Exploring PCI-related Risks in the Hannaford Breach

Interestingly, some reporters are digging deeper to explore the implications of a PCI-compliant company suffering a payment card breach: see here. I think we don’t have all the information so we everybody is engaging in various levels of speculation. However, we do know two facts: (1) compliance with PCI was represented in Hannaford’s privacy policy … Continue Reading

Legislative Update: 2 New Plastic Card Protection Bills Pending (Alabama and Iowa)

Plastic Card Protection laws continue to be proposed in state legislatures. This time its Alabama and Iowa that are jumping into the fray with bills that incorporate the Payment Card Industry (“PCI”) Data Security Standard and/or provide financial institutions with the legal right to seek reimbursement for costs associated with payment card security breaches. However, … Continue Reading

The Legal Implications, Risks and Problems of the PCI Data Security Standard

While starting off as “just” an information security standard, the Payment Card Industry Data Security Standard, v. 1.1 (“PCI” or “PCI Standard”) now presents serious legal challenges and risk for retailers. The PCI framework currently operates like a law without courts or regulators – there is no centralized body to resolve interpretative discrepancies in a … Continue Reading