Home > Uncategorized > PCI-DSS Compliance: Part 5

PCI-DSS Compliance: Part 5

I was just going to close out this blog series on PCI-DSS compliance when the state of Nevada threw a proverbial monkey wrench into the works. Within the last few days this state passed a law requiring PCI-DSS compliance for all companies that take in credit card payments if they conduct business in Nevada. Additionally, this statue requires that encryption be implemented for all personal and financial data such as driver’s license numbers and bank account numbers used in connection with password entry whenever the information is transmitted outside of a company’s network where the company cannot provide security. The law will become effective on January 1 of next year.

The fact that Nevada is striving to protect its residents from identity theft and other types of computer crime should by now be very clear. For example, a little over a year and a half ago a Nevada statute that required that companies encrypt all personally identifiable information (PII) sent over the Internet. But going as far as to mandate PCI-DSS compliance was a surprise because even though PCI-DSS’s provisions are by no means draconian, they nevertheless tend to cause frustration and resentment among companies and organizations that must comply with them. Given that elections are held periodically and that people vote against politicians who vote for legislation with which they disagree, I am somewhat amazed (but also gratified) the Nevada state legislators went out on a limb to (at least some extent) to pass the legislation.

The new Nevada law is really not as radical as it initially might seem to be, however. Most of the companies there that take in credit card information already must comply with the PCI-DSS standard. Additionally, just as in the case of California’s now classic SB-1386 statute, Nevada’s new law does not prescribe any penalties such as fines for those who do not comply with it. The tougher provisions in this law concern protecting PII, because they to some degree constitute a truly new requirement. The previous law required encryption of any PII sent over the Internet, whereas in essence the new law requires encryption of this information whenever it is sent outside of a network of which a company has control.

I view the passage of Nevada’s new statute as the beginning of things to come. California’s SB-1386 served as model legislation that “caught on” among other states in the US. Presently 41 of the 50 states have some kind of legislation in effect that requires notification in the event of a data security breach involving personal and/or financial data. As I have said so many times before, whether or not legislation that protects consumers or that favors businesses instead depends on which party is in control. Democrats tend to pass consumer-oriented legislation, whereas Republicans tend to eschew such legislation and instead pass business-favorable legislation. Right now the Democrats are in charge, so the door is open for consumer-favorable legislation such as Nevada’s recent law. So watch for other states to quickly follow Nevada’s example.

What may also be significant concerning Nevada’s recent statute is that it takes a standard that was developed and is now widely used in the commercial arena and converts it into law—a very rare and significant event. In a miniscule but yet eye-opening way, it represents what the US government has sought and advocated for years—a partnership between the government and commercial sectors.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.