You’ve heard the saying. What happens in Vegas stays in Vegas.

That might be true for vacationers. But thanks to a new Nevada law, merchants in that state won’t have it so easy: If you receive, transmit or store payment card information, and you’re not PCI compliant next year, you’ll be breaking the law.

Yes, Nevada has become the first state to legislate full PCI Data Security Standard compliance. Only Minnesota’s 2007 law, which involves a small portion of PCI rules, comes close. California and other “progressive” states haven’t even touched this; they’ve only passed breach notification laws or other less strict data privacy laws.

If you’re a merchant in Nevada, the effect is obvious. Comply or face additional penalties on top of those imposed by credit card brands. Plus, the new law, SB 227, among other things, particularly mandates the encryption of transmitted customer data between entities. (PCI DSS already requires this, by the way).

If you don’t do business in the Silver State, the effect could be the same. That’s because many experts, with good reason, predict other states will follow suit. Time and time again, states have followed California’s lead on similar issues.

Whether you like PCI DSS or not, or government regulation on this issue, there are some serious questions to think about.

What happens if 50 different states pass 50 different PCI-related laws? That could be rather confusing, cumbersome…and expensive. At least with Sarbanes-Oxley, a controversial accounting oversight law, it’s federal. That means one rule. In 50 states.

Also, the PCI Security Standards Council went through a thorough process to come up with its rules. Some experts such as David Taylor, founder of the PCI Knowledge Base, worry that state legislators will not go through the same processes. In a recent blog post, Taylor laments the fact that the Nevada law makes a point to add encryption…when it was already included in PCI rules. (Further, encryption itself is hardly standardized.)

“This is more proof that government organizations should not be writing technically-detailed security legislation,” Taylor writes. He continues: “Since security legislation does not have to go through such as process, I remain skeptical that state, federal or international legislation can improve on what PCI DSS already provides in terms of technical detail.”

I also wonder how strictly, if at all, these state laws will be enforced. Other things to consider—will Nevada’s upcoming law, and other PCI-related laws, actually put a dent in fraud?

Quoted in BankInfoSecurity.com, Tom Wills, a senior analyst for Javelin Strategy and Research, says Nevada’s interest is a step in a right direction. But, ultimately, “I don’t expect fraud to drop significantly because of it—until we see a strong educational push,” he says.

Bottom line, legislation might spread the wrong belief that PCI compliance is the absolute goal. As I’ve said several times in this blog, PCI compliance is only a point-in-time measurement. Security is an ongoing process.

I hope our state legislators have a firm grasp of this concept when they tackle this very important issue.

Till Next Time,

Joan,
The eSecurityDiva