New Data Breach Law Says Assessor—Not Visa—Has The Final Word

Written by Evan Schuman
May 12th, 2010

One of the top ongoing concerns about PCI compliance—the absence of a true safe harbor—has been obliterated in the state of Washington, thanks to a new law signed by Gov. Chris Gregoire. Well, obliterated to the extent that it otherwise requires reimbursement of a financial entity’s reasonable actual costs “even if the financial institution has not suffered a physical injury in connection with the breach.”

The absence of a safe harbor has meant that a retailer certified as PCI compliant isn’t really protected from anything when a breach happens. That’s because Visa and others do not hesitate to conduct post-breach probes and find something–anything–to conclude that the chain wasn’t actually compliant at the time of the breach. That’s how Visa has been telling audiences that “no compromised entity has been found to be compliant at the time of the breach.” It’s a lesson processor Heartland learned well.

In Washington state, the new law is trying to force retailers to reimburse various financial institutions for any cost incurred due to a breach. The retail chain is now “liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards that are incurred by the financial institution to mitigate potential current or future damages to its credit card and debit card holders who reside in the state of Washington as a consequence of the breach, even if the financial institution has not suffered a physical injury in connection with the breach.”

Physical injury? Are they seeing a lot of Seattle processors jumping out of windows after a breach or something? No matter. The more interesting part of the new law is the PCI section and wording that make it clear the Washington state government is now wise to the post-breach “Compliance? What compliance?” game.

First, the law gives a pass to any breached retailer that certified PCI compliant at the time of the breach. But the law then specifies that the post-breach game won’t fly in the state of Washington: A retailer “will be considered compliant, if its payment card industry data security compliance was validated by an annual security assessment and if this assessment took place no more than one year prior to the time of the breach. For the purposes of this subsection, a [retailer’s] security assessment of compliance is nonrevocable.”

Nonrevocable, eh? Finally, someone has bought into the concept of safe harbor. If a chain gets certified, it will be safe, at least from processors and banks in the state of Washington. (Speaking of Washington, if the feds do the same thing, we’ll be really getting somewhere.)

That said, the Washington law isn’t perfect. First, there is no reference to consumer compensation for the breach, so that issue is still active. Consumers who are impacted by the breach (such as time spent getting money back and bounced checks fixed and credit records repaired) but suffer no financial losses (because of reimbursements)—courtesy of zero liability—are still unprotected, even in the state of Washington, because the bill simply doesn’t address consumer compensation

In addition, the law has a vague reference to encryption, namely that the chain also gets a pass if “the account information was encrypted at the time of the breach.” But it doesn’t specify the level of encryption, nor does the law mention what happens if the cyberthief also obtained the encryption key. That’s not a hypothetical concern; it was an issue that TJX raised in an SEC filing shortly after announcing its data breach:”We believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.”

Flaws aside, the Washington state law at least gives Washington-state-based retailers (are you listening Amazon, Costco and Starbucks?) and retailers who have a substantial presence in the state a little more cost justification for PCI. And that can’t be a bad thing.


2 Comments | Read New Data Breach Law Says Assessor—Not Visa—Has The Final Word

  1. Walt Conway Says:

    The Washington law is interesting in that it not only refers to PCI specifically, but that it appears to offer safe harbor if “compliance was validated by an annual security assessment.” Does this mean self-assessment doesn’t count? If so, is safe harbor only for Level 1 and some Level 2 merchants?

    Also, while Washington offers safe harbor for a year after an assessment, it seems to ignore (or assume) the other, on-going PCI compliance requirements like a 6-month firewall rule review, passing quarterly external vulnerability scans, and daily log reviews. (See: What if a company validated (there is no such thing as “certified”) their compliance then failed their scans and did not remediate the vulnerabilities? Better yet, what if one of these vulnerabilities was the source of the breach?

    Then, as you point out, there is the rather confusing/incomplete section on encryption. At least PCI spells out what constitutes strong encryption. Would, say, tokenization or hashing provide a merchant with safe harbor since neither is encryption?

    I’m a big fan of safe harbor, but I would like it better if the card brands who understand the business would take it on rather than individual state governments that seem to rely on an imperfect or incomplete reading of PCI. Next we’ll get to see what happens as PCI changes and evolves. Remember, PCI is a data protection standard — not a security standard.

  2. M. Dunn Says:

    As a POS software developer, I am simply amazed at the idea that VISA USA, etc. can offer such a flawed product, (flawed in the sense that it is trivial to counterfeit), and yet everyone but VISA must spend serious money to shore up their flawed product.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.