New Data Breach Law Says Assessor—Not Visa—Has The Final Word
Written by Evan SchumanMay 12th, 2010
One of the top ongoing concerns about PCI compliance—the absence of a true safe harbor—has been obliterated in the State of Washington, thanks to a new law signed by Gov. Chris Gregoire. Well, obliterated to the extent that it otherwise requires reimbursement of a financial entity's reasonable actual costs "even if the financial institution has not suffered a physical injury in connection with the breach."
The law specifies that the post-breach game won't fly in the state of Washington: A retailer "will be considered compliant, if its payment card industry data security compliance was validated by an annual security assessment and if this assessment took place no more than one year prior to the time of the breach. For the purposes of this subsection, a [retailer's] security assessment of compliance is nonrevocable."
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
2 Comments | Read New Data Breach Law Says Assessor—Not Visa—Has The Final Word
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Christine
May 13th, 2010 at 1:42 am
The Washington law is interesting in that it not only refers to PCI specifically, but that it appears to offer safe harbor if “compliance was validated by an annual security assessment.” Does this mean self-assessment doesn’t count? If so, is safe harbor only for Level 1 and some Level 2 merchants?
Also, while Washington offers safe harbor for a year after an assessment, it seems to ignore (or assume) the other, on-going PCI compliance requirements like a 6-month firewall rule review, passing quarterly external vulnerability scans, and daily log reviews. (See: http://www.storefrontbacktalk.com/securityfraud/pci-compliance-is-good-data-security-is-better/) What if a company validated (there is no such thing as “certified”) their compliance then failed their scans and did not remediate the vulnerabilities? Better yet, what if one of these vulnerabilities was the source of the breach?
Then, as you point out, there is the rather confusing/incomplete section on encryption. At least PCI spells out what constitutes strong encryption. Would, say, tokenization or hashing provide a merchant with safe harbor since neither is encryption?
I’m a big fan of safe harbor, but I would like it better if the card brands who understand the business would take it on rather than individual state governments that seem to rely on an imperfect or incomplete reading of PCI. Next we’ll get to see what happens as PCI changes and evolves. Remember, PCI is a data protection standard — not a security standard.
May 20th, 2010 at 2:43 pm
As a POS software developer, I am simply amazed at the idea that VISA USA, etc. can offer such a flawed product, (flawed in the sense that it is trivial to counterfeit), and yet everyone but VISA must spend serious money to shore up their flawed product.