Is Nevada's New Privacy Law a 'Game-Changer?'A First: PCI Compliance Mandated for State's Merchants
The answer is "yes," according to Nevada, which has passed a new law that, as of next year, requires businesses to comply with PCI when collecting or transmitting payment card information.
Nevada is the first state to mandate full PCI compliance for businesses. Minnesota in 2007 incorporated only a portion of PCI in its Plastic Card Security Law.
According to Nevada's new law, if a data collector doing business in that state accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of PCI DSS, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.
Is it a Game-Changer?
As states rush to adopt or strengthen privacy legislation, Nevada's move is seen by some observers as a potential "game-changer." But they question whether states should be in the business of mandating compliance with an industry standard.
Privacy and information security expert Dr. Larry Ponemon, President and Founder of the Ponemon Institute, says that generally the law makes sense because PCI provides reasonable security requirements that should be achievable by most companies. Yet, he is somewhat concerned that government entities like Nevada are now legislating detailed information security requirements for business. "PCI is a self-regulatory program. I'm sure that mandated compliance through legislation was never anticipated by the program founders," Ponemon states.
|Don't miss the following PCI resources...|
> Banking & Retail PCI Webinar (available instantly on-demand)
> Six Ways to Reduce PCI DSS Audit Scope (white paper)
> Securing Retail POS Systems & Meeting PCI Compliance (white paper)
"I imagine that many other states that have been waiting in the wings will also follow suit, as happened after the California Data Breach Notification Laws," says Nick Holland, senior analyst at Aite Group, a research firm that studies trends in the financial services industry. "I'm not sure, however, if leaving the compliance dates to individual card brands rather than the PCI Security Standards Council may cause some problematic ambiguity. Would there be a possibility for card networks having separate compliance dates?"
Holland notes that Aite has just conducted some research of payment card industry executives that shows respondents say while states may bring legislation forward, they do not believe that government intervention is required to make PCI enforceable. "Instead, it was considered that the card networks need to play a bigger role in enforcing compliance," he notes.
When Agnes Bundy Scanlan, an attorney at Goodwin Proctor and a board member of the International Association of Privacy Professionals (IAPP), recently attended a privacy association meeting, she was surprised to learn that this new law was not on privacy professionals' radar. "Notably the law has not attracted the same attention as the new Massachusetts law or any of the California data and privacy laws," says Bundy Scanlan. "Nevertheless, like the Massachusetts law, this Nevada PCI compliance might become a model for other states. Also of note -- this law has a safe harbor for merchant already compliant with PCI."
Law Categorizes Merchants
The law places companies that collect personal identifiable information (PII) into one of two categories: those that accept payment cards, and all others. For the ones that accept payment cards and are already subject to PCI-DSS, not much changes for them apart from they can held liable for noncompliance, instead of just disqualified from accepting cards, notes Tom Wills, Senior Analyst, Security & Fraud, Javelin Strategy and Research.
"For most retail merchants, not being able to take credit and debit cards is a pretty significant penalty," Wills says. "So with the added kick, the law may incent a few previously reluctant merchants to step up to PCI compliance, but otherwise it's not earth shattering."
For the other companies that don't handle payment cards, the law raises the bar on information security. But there's a caveat to all of this, warns Wills. Complying with PCI-DSS, or any regulation, is not the same as having a comprehensive information security program that's based on continuously assessing risks and correcting for them. Compliance is a step in the right direction, "But all too often those involved (merchants, financial institutions, regulators and legislators) treat it as adequate security in its own right, and it's not," Wills says. "Without an accompanying awareness program, enshrining PCI-DSS in law won't change that."
Will the new law cut down on fraud? The Nevada law is a small step in the right direction, Wills says, "But I don't expect fraud levels to drop significantly because of it, unless we see a strong educational push at the same time. And I haven't seen evidence of that as yet."
New Twist: Encryption
The Nevada law also has an added twist for companies to wrestle with, says David Taylor, Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner. "In addition to requiring PCI compliance, it also adds language requiring encryption (which is vaguely defined as being standardized in some way) between entities, though not over private networks within an entity."
He sees that considering that this provision is already covered in PCI (even the exclusion of private network encryption), "this is yet more proof that government organizations should not be writing technically-detailed security legislation," Taylor writes in his blog entry. He notes the PCI standard emerges after an arduous (if controversial) vetting process. Since security legislation does not have to go through such a process, he says he remains skeptical that state, federal or international legislation can improve on what PCI DSS already provides in terms of technical detail.
"Like it or hate it, the PCI DSS is the only set of data security standards out there that actually comes with an effective, ongoing validation and enforcement process," Taylor says. "That is not true of HIPAA or the vast majority of state or national data privacy or breach disclosure laws."