With the requirements set up by the Payment Card Industry Data Security Standards (PCI DSS), a lot of businesses scratch their heads and ask whether PCI is a law. The answer to this question is very short and simple no PCI Compliance is not a law.
Will PCI Compliance be a Law in Future?
To make the things more clear, let’s go in detail about this topic. At the moment it is not a federal law; but still there are some state laws that are in effect (while some might go in effect in future) to implement the requirements of PCI DSS. The story does not end here there is a big press on from the industry trade association and legislatures, to pass a federal law about breach and security notification.
Plastic Card Security Act
In 2007, “Plastic Card Security Act” was established in Minnesota which stated that if a company is breached and later on it is discovered that the company was storing prohibited PCI data like CVV codes, magnetic stripe, track data etc. then it is required to repay banks and other individuals costs linked with reissuing and blocking of cards. According to this law such companies are open to private lawsuits. The law at the moment is not to be implemented on Level 4 merchants (carrying out less than 20,000 card transactions per year).
On this, it was announced by the state of Massachusetts that it will commence a new law, 201 CMR 17.00. For example, the law stated the need of limiting the data collected, and further stated about data encryption and written security policies. The law would be implemented on any company storing or handling customer data based in Massachusetts. The enforcement of law was pushed back to 2010, when it was meant to be in action from 2009. Like all the previous laws this law also didn’t include level 4 merchants to be enforced by the law.
None of the above stated law stated anything about being PCI Compliant. More states are in need of customers’ notifications when a data breach finds its way, as the time goes on the definition of the data which is personal information will also have credit card numbers included in it.
What are the Possibilities?
With all that said, is it possible that we will get to see devotion to PCI Compliance and more specifically call it out as a law? Well there is no guarantee about it; but it might be possible, as you don’t know anything about future. The government does take time to get things done and PCI compliance is still evolving. So, it will be quite difficult for the legislatures to keep up with the pace of new technology changes being put forward by PCI.
It is possible to a certain extent that in the future more states will recognize credit card data as personal information and will carry out strict actions against the companies neglecting the proper security. Also, in upcoming time there might be direct financial incentives to companies with far greater security postures.