Monday, March 8, 2010
The legislative lookout for payment acquiring is mixed. In issues related to data security, the industry has emerged as a role model of sorts, with lawmakers taking a cue from the Payment Card Industry (PCI) Data Security Standard (DSS). Meanwhile, the debate over interchange has resurfaced amid rumors that at least one ranking Democrat in the U.S. Congress is considering new legislation.
The National Association of Convenience Stores reported in its member bulletin that Sen. Arlen Specter, D-Pa., plans to pursue interchange legislation similar to a bill introduced in the House of Representatives in 2009 by Rep. Peter Welch, D-Vt. A spokeswoman for the Senator, speaking on background, said an interchange bill is under consideration, but no formal decision has been made.
That Welch bill, H.R. 2382, the Credit Card Interchange Fees Act, addresses the permissibility of discounts for cash payments and the honor all cards rules. It has been stuck in the House Banking Committee since its introduction, and in February, Rep. Barney Frank, D-Mass., Chairman of the Banking Committee, said publicly that he had no plans to move interchange legislation through the committee this year.
Sen. Specter is no stranger to the issue of interchange. In May 2008, commenting in response to a General Accountability Office report on interchange, he suggested "remedial legislation" might be necessary if banks and merchants can't come terms over interchange.
Meanwhile, with identity frauds reaching unprecedented levels, lawmakers appear to be taking a cue from payment companies and implementing data security rules that closely resemble the PCI DSS.
The latest example is Massachusetts, where new data security regulations that took effect March 1, 2010, mandate that every company with customers in the state have plans in place to protect the private information of these customers from identity thieves. Security measures prescribed by the new regulations include data encryption, employee training and a written plan that details how data will be protected from theft or loss.
The state's chief consumer affairs advocate said the new law was prompted by a recent surge in identity thefts involving residents of the state. "In two years, over one million pieces of information belonging to Massachusetts residents were lost or stolen," said Barbara Anthony, Undersecretary of State for Consumer Affairs and Business Regulation. "What these regulations do is create a culture of security."
"This is leading-edge legislation," said Eduard Goodman, Chief Privacy officer at Identity Theft 911, a Scottsdale, Ariz., firm specializing in identity management and data breach remediation services. From a lawyer's perspective, it helps to have laws like these on the books when aggrieved parties are seeking damage awards, Goodman added.
The new Massachusetts law follows a Nevada law that became effective Jan. 1, 2010. That law codifies the PCI DSS, making it a violation of state law for any company accepting credit cards in Nevada not to be in compliance with the PCI DSS. Nevada companies that don't accept card payments, but otherwise collect customer data, are required under the new law to encrypt all stored and transmitted customer information.
"What we're seeing is a basic codification of security best practices 101," Goodman said.
Goodman believes that, taken together, the Massachusetts and Nevada laws are a big deal – as momentous as the first state data breach notification statute enacted by California in 2002. Today, all but a handful of states have similar data breach notification laws in place.
Goodman described this first batch of data security legislation as useful but "reactive." The trend set into motion by Massachusetts and Nevada is all about "prescriptive security," he noted. "I think it's a game changer," he said of the new Massachusetts law. "This is not the last state that will pass something like this. This is a nonpartisan issue."
The Federal Trade Commission reported last month that identity theft topped the list of consumer complaints to the agency's offices last year. About one in five of the 1.3 million complaints received involved identity frauds, the FTC said.
Shortly, FTC Chairman Jon Leibowitz and Illinois Attorney General Lisa Madigan are slated to announce a major federal-state initiative to combat identity fraud.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.