Minnesota Gives PCI Rules a Legal Standing: Minnesota last week became the first state in the country to turn a core requirement of the Payment Card Industry (PCI) Data Security Standard into a law.

Under the state's Plastic Card Security Act, companies that suffer data breaches and are found to have been storing prohibited credit or debit card data on their systems will have to reimburse banks and credit unions for the costs of blocking and reissuing cards.

They could also be subject to lawsuits filed by individuals claiming to have been affected by violations of the law, which was signed by Gov. Tim Pawlenty after previously being approved by overwhelming margins in the Minnesota House and Senate. The law applies to all companies that process more than 20,000 card transactions annually.

The PCI standard, which was created by the major credit card companies, specifically prohibits retailers and other merchants from storing card data, such as the three- and four-digit verification codes on the back of cards and the full contents of a card's magnetic stripe.

Nevertheless, some retailers continue to keep card data on their systems, a practice that poses the greatest of any security risks to the information, said Mara Humphrey, director of governmental affairs at the Minnesota Credit Union Network in St. Paul. "PCI rules make it explicitly clear that you are not supposed to be storing it," Humphrey said, adding that the new state law formally reinforces that requirement.

The credit union association was a major supporter of the legislation. Humphrey said the group's interest in the measure was driven by the increasing costs faced by its nearly 160 members as a result of data breaches at merchants. "We've been hearing from credit unions who were very frustrated with the number of data breaches and the number of times they've had to reissue cards," she said. "They're frustrated that the onus has entirely been on them and not on the merchant." No Time in Texas

The Minnesota law is similar to one that was proposed in Texas this year. The Texas House of Representatives passed that bill by a vote of 139-0 early this month, but the proposal failed to make it through the Texas Senate because there wasn't enough time before today's scheduled ending of the state's regular biennial legislative session.

(Read Original Article - Via Computerworld Cybercrime/Hacking News.)