States Scaring The POS Off Randomly Regulated Retailers

Written by Fred J. Aun
June 24th, 2009

When it comes to regulating retailers, what could be worse than an over-zealous Washington? How about fifty over-zealous “Washingtons”?

Discussions about “Big Brother” and onerous regulation of business usually center around the federal government. Not that Uncle Sam isn’t evil at times, but these days it’s the states that are causing the big headaches for retailers, especially those that operate on a multi-state or national level.

Every couple of weeks, it seems, another state makes news for attempting to regulate, tax or otherwise control retailers and retail technology. The toughest part, for merchants, is that states usually tackle the issues with little regard to being aligned with the efforts of their colleagues in other states or for the hardships their one-of-a-kind provisions impose on retailers.

The laws just keep on coming. Nevada, for example, passed a data protection law last month that goes into effect Jan. 1, 2010. In addition to forcing businesses to use encryption when data storage devices containing personal information are moved outside the company’s physical or logical control, the new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards.

As noted by New York law firm Hunton & Williams, “Minnesota law currently codifies certain select PCI DSS requirements. The new Nevada law is significantly more comprehensive, however, since it adopts the PCI DSS in its entirety by reference.”

On the same day, a new data protection law goes into effect in Massachusetts. It has been described as one of the toughest such laws in the world.

(Not all state efforts are frightening retailers. See our related story about state attorneys general trying to discipline TJX this week. The Keystone Cops are more frightening.)

Meanwhile, E-Commerce players, such as, are battling it out with states over sales tax collection. In a letter it reportedly sent Monday (June 22) to California legislators, Amazon threatened to stop doing business with its marketing affiliates in the Golden State if it is forced to collect sales taxes there under a proposed law, similar to one it’s fighting in New York, that it believes to be unconstitutional.

The passage of bills like these, which usually differ (often slightly and sometimes largely) from other states’ regulations, has created a dizzying patchwork of often conflicting state laws, regulations and proposals. Learning about, lobbying for or against and eventually complying with these government initiatives puts a financial and logistical strain on even the largest retailers and their IT departments. Doing so can be enough to quash expansion plans by smaller players.

“It’s extremely difficult to keep up with all the state announcements,” said lawyer Lisa Sotto, a partner in the New York office of Hunton & Williams and head of the firm’s privacy and information management practice. “There are 47 states and other jurisdictions with data breach notification laws and they’re all a little bit different. The same tenor is followed in all these laws, but the verbiage differs and some of them are substantively quite different. So we are dealing with a non-harmonized regime on the state level. It’s impossible, it really is.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.