Is PCI Compliance a Law? Should it be?
Is PCI compliance a law? The short answer is no. The long answer is that while it is not currently a federal law, there are state laws that are already in effect (and some that may go into effect) to force components of the PCI Data Security Standard (PCI DSS) into law. In addition, there is a big push by legislatures and industry trade association to enact a federal law around data security and breach notification.
In 2007 Minnesota established the “Plastic Card Security Act” which states that any company that is breached and is found to have been storing “prohibited” PCI data (e.g., magnetic stripe , CVV codes, track data etc) are required to reimburse banks and other entities for costs associated with blocking and reissuing cards. This law also opens up these companies to private lawsuits. Currently, the law does not affect Level 4 merchants (less than 20,000 transactions a year).
Massachusetts recently announced that it will introduce a new law, 201 CMR 17.00, which pulls some important concepts from the PCI DSS. For example, the law has requirements around limiting data collected, requiring written security policies and data encryption. This law would apply to any company who has customer data (or handles it) from customers based in Massachusetts. Recently, compliance enforcement of this law was pushed back until 2010, but unlike previous laws, this one does not have a stipulation that excludes Level 4 merchants from complying with the legislation.
Currently none of these state laws mentioned above specifically call out PCI compliance, but the parallel is obvious. More and more states are requiring notifications of customers upon a data breach and as time goes on, the definition of what data is considered personal information will expand to include credit card numbers.
Will we ever see adherence to PCI compliance called out specifically as a law? It is unlikely, but nothing is outside the realm of possibility. The government typically moves slowly and PCI compliance is still an evolving state. It will be difficult for legislatures to keep up with all the necessary technology changes. It is more likely that as time goes on, more and more states will classify credit card information as personal information and find punitive measures to make companies with negligent/non-existent security accountable. In the future there may also be direct financial incentives to companies with high security postures and PCI compliance is a great step towards becoming secure.