Washington Becomes Third State to Enact a Law Connected to PCI DSS

04/13/2010 / Molly Eichten and James Graves

Anyone who deals with credit card data is probably familiar with the Payment Card Industry Data Security Standard. PCI DSS requires anyone who stores, processes, or handles payment cards to meet certain technical and process requirements. Larger merchants and service providers must pass regular external security assessments, and everyone subject to PCI DSS must undergo frequent scans for technical vulnerabilities. Failure to comply with PCI DSS can lead to significant fines in the event of a data breach.

In 2007, Minnesota became the first state to pass a law based on PCI DSS. The Minnesota law prohibits anyone conducting business in Minnesota from storing sensitive information from credit and debit cards. The law makes non-compliant entities liable for financial institutions' costs of canceling and replacing credit cards compromised in a security breach.

Last year, when Nevada updated its encryption law, it included a requirement that anyone who does business in that state and accepts payment cards must comply with PCI DSS.

On March 22, 2010, Washington became the third state to enact a law connected to PCI DSS. Washington's law is similar to Minnesota's in that it allows financial institutions to recover the costs of reissuing payment cards after a data breach. If a business fails to take reasonable care to protect against unauthorized access, and that failure is found to be the cause of a breach, then the business is liable for the cost to financial institutions of reissuing the compromised cards of Washington residents. However, a business is not liable under the new law if that business was certified as PCI DSS compliant within one year prior to the breach.

As with most laws of this type, Washington's law applies to organizations outside its own borders. For example, a "business" is any legal or commercial entity that "provides, offers, or sells goods or services" to Washington residents and handles six million or more payment card transactions per year. The law also applies to "vendors" and "processors," the definitions of which do not include any geographic restrictions and might be expected to include anyone who would be within the reach of Washington law.
Anyone who stores, processes, or handles credit cards has already been subject to PCI DSS requirements. Washington's new law does not appear to add any new requirements, but it does create the risk of additional costs for non-compliance. Merchants with customers in Washington who handle large numbers of credit cards now have an extra incentive to maintain PCI DSS compliance.

-- Molly Eichten is a member of the Larkin Hoffman Daly & Lindgren Ltd. Intellectual Property, Technology and Internet Practice. James Graves, CISSP, is a J.D. candidate at William Mitchell College of Law and is a law clerk at Larkin Hoffman.