Plastic Card Security

Suggested State Legislation: This Act limits how long companies that process credit card and related electronic transactions can retain sensitive information such as card security code data and PINs after a transaction is made.

Submitted as:
S.F. No. 1574, 2nd Engrossment
Status: Enacted into law in 2007.

Suggested State Legislation, 2009 Docket

Download the PDF Version

(Title, enacting clause, etc.)

Section 1. [Short Title.] This Act shall be cited as “An Act to Ensure Plastic Card Security.”

Section 2. [Definitions.] As used in this Act:
(1) “access device” means a card issued by a financial institution that contains a magnetic stripe, microprocessor chip, or other means for storage of information which includes, but is not limited to, a credit card, debit card, or stored value card;
(2) “breach of the security of the system” has the meaning given in [insert citation];
(3) “card security code” means the three digit or four digit value printed on an access device or contained in the microprocessor chip or magnetic stripe of an access device which is used to validate access device information during the authorization process;
(4) “financial institution” means any office of a bank, bank and trust, trust company regulated lender;
(5) “microprocessor chip data” means the data contained in the microprocessor chip of an access device;
(6) “magnetic stripe data” means the data contained in the magnetic stripe of an access device;
(7) “PIN” means a personal identification code that identifies the cardholder;
(8) “PIN verification code number” means the data used to verify cardholder identity when a PIN is used in a transaction; and
(9) “Service provider” means a person or entity that stores, processes, or transmits access device data on behalf of another person or entity.

Section 3. [Security or Identification Information; Retention Prohibited.] No service provider conducting business in this state that accepts an access device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.

Section 4. [Liability for Breach of the Security of the System.]
(a) Whenever a service provider violates this Act, and there is a breach of the security of the system of that service provider, the service provider shall reimburse the financial institution that issued any access devices affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the  information of its cardholders or to continue to provide services to cardholders, including but not limited to, any cost incurred in connection with:
(1) the cancellation or reissuance of any access device affected by the breach;
(2) the closure of any deposit, transaction, share draft, or other accounts affected by
the breach and any action to stop payments or block transactions with respect to the accounts;
(3) the opening or reopening of any deposit, transaction, share draft, or other accounts affected by the breach;
(4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach; and
(5) the notification of cardholders affected by the breach.
(b) The financial institution is also entitled to recover costs for damages paid by the financial institution to cardholders injured by a breach of the security of a system of a service provider that violates this Act. Costs do not include any amounts recovered from a credit card company by a financial institution.
(c) A service provider that processes fewer than 20,000 transactions by access device by transactions annually is not liable to a financial institution under this section.

Section 5. [Remedies for Cardholders Injured by a Violation of this Act.]
(a) An individual cardholder injured by a violation of the standards, duties, prohibitions, or requirements of this Act may bring a private action under [insert citation]. A private right of action by an individual cardholder under this Act is in the public interest.
(b) The remedies provided in this section are cumulative and do not restrict any other right or remedy otherwise available to the individual cardholder.

Section 6. [Severability.] [Insert severability clause.]

Section 7. [Repealer.] [Insert repealer clause.]

Section 8. [Effective Date.] [Insert effective date.]

plasticcardsecurity2009ssl.pdf22.69 KB