Two important new rules—one a national rule imposed by credit card issuers, and one affecting Minnesota specifically imposed by the legislature—are impacting merchants and retailers that obtain credit card information from customers in their business transactions.
Businesses must comply with data security rules by September 30
Last year VISA and MasterCard announced new data security rules to protect merchants and consumers from risk associated with the growing incidence of identify theft and fraud.
Among the requirements, businesses must comply with the following rules by September 30, 2007:
Storage of cardholder information. Full card information or three-digit validation codes may not be stored under any circumstances. Only the portion of a customer's account information that is essential for the transaction may be stored in a secure area limited to authorized personnel.
Destruction of cardholder information. Businesses must destroy all items containing past transaction data with cardholder information.
Use of agents or third parties. All vendors must be advised of and agree to follow these rules and regulations.
Reporting a security incident. In the event that credit card data is accessed by an unauthorized party, businesses must notify the merchant bank or processing contact for each card immediately. This is done to minimize risk to the payment system and to protect customers.
A recent article in American Banker Online, however, suggests that half of all merchants in the United States have not yet taken steps to comply with the rules, putting them at risk for hefty penalties if they are not in compliance by the deadline.
Minnesota law regulating credit card information effective August 1
A new Minnesota law that regulates the retention of credit card information has taken effect as of August 1, 2007, impacting everyone who has a credit card or who handles transactions with credit cards. Everyone who handles credit card information of any kind needs to be aware of the new law (Minn. Stat. 325E.64; H.F. 1758), which states that "no person shall store the PIN or cvv (security code) for more than 48 hours after the transaction is authorized."
A year from now—on August 1, 2008—the law will be even more forceful by imposing liability on persons holding such information beyond the allowed period for all costs associated with unauthorized use of the card should their security be breached and the card and its PIN or cvv codes be used inappropriately.