Schwarzenegger Vetoes Retail Data Security Bill
California Gov. Arnold Schwarzenegger (R) on Friday vetoed a bill that would have forced retailers to foot more of the bill in cleaning up after customer data spills.
The bill was unanimously approved by the Assembly, with the state Senate passing it in a bipartisan 30-6 vote. Still, Schwarzenegger opted to "terminate" the bill, saying in his veto message that it threatened to place burdensome costs on small businesses and attempted "to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers."
The legislation was first offered in February, just weeks after retailer TJX Companies disclosed that a series of data breaches at Marshalls and other TJX retailers had resulted in the loss or theft of more than 45 million credit and debit card numbers over an 18-month period. TJX was forced to disclose the compromise due to the proliferation of state data breach disclosure laws, most of them modeled after California's first-in-the-nation law.
The legislation vetoed by Schwarzenegger would have forced retailers who experience a data breach or loss to reimburse California banks for the costs of debit and credit card replacement and consumer notification. The measure also would have essentially codified the payment card industry (PCI) standards, a set of credit card association requirements designed to safeguard consumer data. In the case of the TJX compromise, investigators found the company had not encrypted customer data, a key component of the PCI standards.
Schwarzenegger said the payment card industry "is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards."
According to Visa USA, only about 45 percent of large retailers are compliant with the PCI standards.
Interestingly, a Washington lobbying group for the retail industry recently challenged the credit card industry to consider alternative ideas for preventing credit and debit card theft. In its letter, the National Retail Federation urged Visa and MasterCard to stop requiring retailers to hold onto credit card numbers and other information associated to customer transactions.
While the PCI standards bar retailers from storing the data as encoded on the magnetic strip on the back of credit and debit cards, the NRF said credit card companies currently require retailers to store the information found on the front of cards -- including cardholder name, account number and expiration date -- for up to 18 months in case the retailer's financial institution needs to investigate a customer chargeback, which happens when a consumer calls his or her credit card issuer and disputes a particular charge.
NRF's David Hogan suggested that credit card companies should guarantee that retailers can dispute chargebacks using just a truncated credit or debit card number in addition to a special authorization code.
"It makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them," Hogan wrote.
In an Associated Press story, MasterCard was quoted as calling the NRF's claims "inaccurate and unjustified." MasterCard and Visa maintain that retailers can minimize their exposure by keeping customer data in a truncated format. Indeed, Visa says as much in this data security brief, published in August.
But Scott Krugman, NRF's vice president of public relations, told Security Fix that the credit card companies are sending a mixed message, as retailers are told that they should consult with their merchant bank before making the decision to truncate stored transaction data.
To make sense of Krugman's claim, readers should understand the different players involved in processing a credit or debit card transaction. In a typical transaction, neither the customer nor the retailer directly interacts with MasterCard or Visa; rather, both parties use the credit card companies' networks via their respective banks. When consumers make a purchase at a retail store, the charge goes from the store's credit card processor to the Visa or MasterCard's system, which in turn determines the bank that issued the credit card to the customer. Once the processor verifies that the customer's account is valid and has sufficient funds or credit available, the funds are transferred from the consumer's bank to the merchant's.
In the case of a chargeback, the customer is usually given a tentative credit by their issuing bank pending a more thorough investigation. The customer's financial institution then tells the retailer's bank that they will have to pay the cost of the chargeback unless they can prove that the charge was valid.
Krugman said the NRF was simply asking the credit card industry to guarantee that truncated card data plus an authorization code would be enough for retailers to fight invalid chargebacks passed along by the merchant banks.
"The credit card companies are basically saying that we'll have to make side deals with hundreds of banks," he said.
Avivah Litan, a financial fraud analyst with Gartner Inc., agreed. "In this case, [the credit card companies] are just saying check with your merchant bank. It's called passing the buck."
Posted by: sc | October 16, 2007 11:31 AM | Report abuse
Posted by: Rick | October 16, 2007 12:34 PM | Report abuse
Posted by: Akber Kassam. | October 16, 2007 1:07 PM | Report abuse
Posted by: Jason Abdon | October 16, 2007 5:53 PM | Report abuse
Posted by: jonst | October 16, 2007 6:58 PM | Report abuse
Posted by: Steve Ballmer | October 16, 2007 7:53 PM | Report abuse
Posted by: Craig Herberg | October 17, 2007 12:50 PM | Report abuse
Posted by: EVDriver | October 18, 2007 11:02 PM | Report abuse
Posted by: Stan | October 23, 2007 10:36 AM | Report abuse
The comments to this entry are closed.