Network News

X My Profile
View More Activity

Schwarzenegger Vetoes Retail Data Security Bill

California Gov. Arnold Schwarzenegger (R) on Friday vetoed a bill that would have forced retailers to foot more of the bill in cleaning up after customer data spills.

The bill was unanimously approved by the Assembly, with the state Senate passing it in a bipartisan 30-6 vote. Still, Schwarzenegger opted to "terminate" the bill, saying in his veto message that it threatened to place burdensome costs on small businesses and attempted "to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers."

The legislation was first offered in February, just weeks after retailer TJX Companies disclosed that a series of data breaches at Marshalls and other TJX retailers had resulted in the loss or theft of more than 45 million credit and debit card numbers over an 18-month period. TJX was forced to disclose the compromise due to the proliferation of state data breach disclosure laws, most of them modeled after California's first-in-the-nation law.

The legislation vetoed by Schwarzenegger would have forced retailers who experience a data breach or loss to reimburse California banks for the costs of debit and credit card replacement and consumer notification. The measure also would have essentially codified the payment card industry (PCI) standards, a set of credit card association requirements designed to safeguard consumer data. In the case of the TJX compromise, investigators found the company had not encrypted customer data, a key component of the PCI standards.

Schwarzenegger said the payment card industry "is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards."

According to Visa USA, only about 45 percent of large retailers are compliant with the PCI standards.

Interestingly, a Washington lobbying group for the retail industry recently challenged the credit card industry to consider alternative ideas for preventing credit and debit card theft. In its letter, the National Retail Federation urged Visa and MasterCard to stop requiring retailers to hold onto credit card numbers and other information associated to customer transactions.

While the PCI standards bar retailers from storing the data as encoded on the magnetic strip on the back of credit and debit cards, the NRF said credit card companies currently require retailers to store the information found on the front of cards -- including cardholder name, account number and expiration date -- for up to 18 months in case the retailer's financial institution needs to investigate a customer chargeback, which happens when a consumer calls his or her credit card issuer and disputes a particular charge.

NRF's David Hogan suggested that credit card companies should guarantee that retailers can dispute chargebacks using just a truncated credit or debit card number in addition to a special authorization code.

"It makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them," Hogan wrote.

In an Associated Press story, MasterCard was quoted as calling the NRF's claims "inaccurate and unjustified." MasterCard and Visa maintain that retailers can minimize their exposure by keeping customer data in a truncated format. Indeed, Visa says as much in this data security brief, published in August.

But Scott Krugman, NRF's vice president of public relations, told Security Fix that the credit card companies are sending a mixed message, as retailers are told that they should consult with their merchant bank before making the decision to truncate stored transaction data.

To make sense of Krugman's claim, readers should understand the different players involved in processing a credit or debit card transaction. In a typical transaction, neither the customer nor the retailer directly interacts with MasterCard or Visa; rather, both parties use the credit card companies' networks via their respective banks. When consumers make a purchase at a retail store, the charge goes from the store's credit card processor to the Visa or MasterCard's system, which in turn determines the bank that issued the credit card to the customer. Once the processor verifies that the customer's account is valid and has sufficient funds or credit available, the funds are transferred from the consumer's bank to the merchant's.

In the case of a chargeback, the customer is usually given a tentative credit by their issuing bank pending a more thorough investigation. The customer's financial institution then tells the retailer's bank that they will have to pay the cost of the chargeback unless they can prove that the charge was valid.

Krugman said the NRF was simply asking the credit card industry to guarantee that truncated card data plus an authorization code would be enough for retailers to fight invalid chargebacks passed along by the merchant banks.

"The credit card companies are basically saying that we'll have to make side deals with hundreds of banks," he said.

Avivah Litan, a financial fraud analyst with Gartner Inc., agreed. "In this case, [the credit card companies] are just saying check with your merchant bank. It's called passing the buck."

By Brian Krebs  |  October 16, 2007; 8:27 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Mapping the Russian Business Network
Next: The Russian Business Network Responds


A couple of years ago our credit union notified us that our VISA card had been compromised because the computer of a third-party processor for a retail merchant had been stolen. Apparently, nearly 1 million credit accounts were compromised in this way.

Our card & account number were replaced & no harm was done to us but I was left with some discomfort. For example, the CU rep I spoke with told me that VISA wouldn't even reveal to the CU which retailer sustained the theft! So, there was no way for me, as a consumer, to evaluate my shopping habits & decide whether or not I wished to modify my practices or take other steps. Talk about honor among thieves!

Posted by: sc | October 16, 2007 11:31 AM | Report abuse

AHNEE isn't someone to get excited about. He was a poor actor; he's a worse politician.

Posted by: Rick | October 16, 2007 12:34 PM | Report abuse

Gov. Arnold Schwarzenegger of California is not educated nor a good polititcian, he is only rubber stamp Governer, he has no knowledge what is going on in the world and even in California.!!!!

Posted by: Akber Kassam. | October 16, 2007 1:07 PM | Report abuse

Another good law down the toobs due to the criminal practices of of the American corporate and their bought and paid for politicos. When is the American electorate going to wake up and wise up. It's time to put the usery of the banking systems in jail along with credit card fraudsters and their politico cohorts.

And the lady said she felt ill at ease. Hell, I'd been furious. The police would have had to take me out. But they can't take us all out. Wake up people. Wake up
and sign ze paper old man is what it's coming to. All hail ze new fuher govenor terminator number two.

Posted by: Jason Abdon | October 16, 2007 5:53 PM | Report abuse

This law has/had some interesting aspects to it. One, it was a strict liability standard. Meaning that the retailers could offer no legal defense to the data breach. Strict liability standards always get people's attention. IOW....regardless of how blameless the retailers might have been they were liable. Second, on a rather ironic note...the banks were claiming damages for FUTURE harm that may, or may not manifest itself. This is ironic because this theory of recovery for damages/loss incurred because of POSSIBLE future harm is exactly the same one they, the banks, cc companies have been resisting when consumers sue because of fear of future harm from theft of their data as a result of breach. The theory the banks/cc companies lawyers offered was the damages were too speculative. However, in the banks/cc companies case, the damage was not too speculative. Courts have been siding with the banks/ cc companies legal theory. So, what is good for the goose is not good for the gander.

Posted by: jonst | October 16, 2007 6:58 PM | Report abuse

The proponents of this bill are going:


Posted by: Steve Ballmer | October 16, 2007 7:53 PM | Report abuse

There are really only two things that we, as consumers, require of those who handle our confidential information: 1. Prevention of inappropriate/unauthorized disclosure and 2. Remediation of personal/financial problems caused by such disclosures.

Since market decisions are driven by regulation and/or economic feasibility, one would hope for -- and expect -- legislative relief for consumers. Failing that, poor stewards of our confidential information can expect to be faced with class action law suits that will make it obvious that prevention IS the economically feasible course.

Posted by: Craig Herberg | October 17, 2007 12:50 PM | Report abuse

If the bill passed the assembly by such a majority, it seems to me that there would be little trouble in overriding Arnold's veto.

BTW, if Arnold were in fact a rubber stamp governor, he would not have vetoed the bill to begin with.

Posted by: EVDriver | October 18, 2007 11:02 PM | Report abuse

I work in an IT department just like you. We have really been struggling to get an accurate view of our network as things have gotten jumbled over time. Of course this makes a security audit practically impossible and useless! What happens next? We get countless trash thrown at the network in the form of viruses, malware and many other types of threats.

In order to perform a proper security risk assessment we really need some new type of network security. I've been looking over this program called Retina. I've used products from eEye before and they all worked out rather well and performed exceptionally but I know little of Retina. Have you ever tried this or know someone who has? I'd like to propose using this to the boss but I'd like to know a little more first. Thanks!

Posted by: Stan | October 23, 2007 10:36 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company