Friday, May 14, 2010

Washington State Gives PCI-Compliant Vendors "Safe Harbor"

StorefrontBacktalk reports that a new law signed by Washington State Gov. Chris Gregoire "gives a pass to any breached retailer that certified PCI compliant at the time of the breach.... the law then specifies that a retailer 'will be considered compliant, if its payment card industry data security compliance was validated by an annual security assessment and if this assessment took place no more than one year prior to the time of the breach. For the purposes of this subsection, a [retailer's] security assessment of compliance is nonrevocable.'”

"Finally, someone has bought into the concept of safe harbor. If a chain gets certified, it will be safe, at least from processors and banks in the state of Washington. (Speaking of Washington, if the feds do the same thing, we’ll be really getting somewhere.)

"That said, the Washington law isn’t perfect. First, there is no reference to consumer compensation for the breach, so that issue is still active. Consumers who are impacted by the breach (such as time spent getting money back and bounced checks fixed and credit records repaired) but suffer no financial losses (because of reimbursements)—courtesy of zero liability—are still unprotected, even in the state of Washington, because the bill simply doesn’t address consumer compensation.

"In addition, the law has a vague reference to encryption, namely that the chain also gets a pass if 'the account information was encrypted at the time of the breach.' But it doesn’t specify the level of encryption, nor does the law mention what happens if the cyberthief also obtained the encryption key. That’s not a hypothetical concern; it was an issue that TJX raised in an SEC filing shortly after announcing its data breach: 'We believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.'

"Flaws aside, the Washington state law at least gives Washington-state-based retailers (are you listening Amazon, Costco and Starbucks?) and retailers who have a substantial presence in the state a little more cost justification for PCI. And that can’t be a bad thing."

We thank SFBT editor Evan Schuman for this important new information.

No comments:

Web Analytics