The Washington State Capitol. Taken from The J...
Image via Wikipedia

PCI laws are expanding around the country. Washington State is the latest to add a law to their books. Washington state follows Nevada and Minnesota in implementing Payment Card Industry Data Security Standard (PCI), the law is HB 1149. It changes the breach notification law they already had on the books. The key point is that it allows issuing banks a method of collecting the costs to reissue payment cards after a breach.

Organizations who must abide by the law

It defines “business(es)” as merchants processing more than six million cards and sell to Washington state residents.  “Processors” manage account information for others and “vendors” sell software or equipment that processes, transmits or store account information.  Account information can is not so clearly defined. It will be interesting to see how companies outside of the state are affected. PCI Security Assessments are going to become even more prevelant.

How is the law implemented?

Entities that fall under the law are required to provide reasonable security measures. They can be liable for damage and if they have to reimburse their banks for reissuance of card, that can get very expensive.  The law should probably have been more clear on this point

Determining a breach has been defined as “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”  There is the possibility of confusion between account information and personal information. That will probably cause problems in the future lawsuits. Encryption is also going to be a challenge in the implementation and review for compliance requirements.

How this law integrates or conflicts with PCI requirements will news worthy. The different levels of PCI compliance and the levels identified by the law are now completely consistent. Can PCI SAQ assessment be enforced by the law? Can you be PCI compliant and not compliant with the law, or vice versa? I would venture to say yes.

If only we have a National Standard for all of this. Wouldn’t that be a progressive move?

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development  

*PGP Security

Reblog this post [with Zemanta]