Credit unions are supporting the Consumer Data Security Bill in the Alabama House of Representatives (HB 797) and in the Alabama State Senate (SB 545). Briefly, the bill does three things that are necessary to protect consumer data and to prevent the problems that we have seen in the past with other well publicized merchant breaches. The provisions of the bill are;
It requires an entity that experiences a breach to notify the individuals whose cards were compromised, as well as the financial institution that issued the exposed cards. Details of the breach would also be required. Alabama is one of 6 states without a notification requirement on the books.
It requires that any entity that accepts the information on a plastic card as part of a transaction, or the processing of a transaction, must comply with the Payment Card Industry (PCI) Data Security Standards. This is the accepted standard agreed to by industry participants. One of the most important provisions of the standard is that it prohibits the storage of key data, such as that found on the magnetic stripe of a plastic card, after the transaction has been settled. This is the information that hackers have used to counterfeit debit cards and steal funds.
It provides that if an entity is not in compliance with the PCI Data Security Standards at the time of the breach, then the entity is liable to the financial institution for the cost of protecting the card-holder, including the cost of reissuing cards, notifying members, and any refunds to cardholder accounts that must be made due to fraudulent transactions.
PASSAGE OF THE CONSUMER DATA SECURITY BILL WILL HELP TO ENCOURAGE MERCHANTS AND RETAILERS TO PROTECT CONSUMER DATA IN A MANNER THAT SHOULD BE DONE ALREADY.
Earlier this year, North Alabama Educators Credit Union had to replace nearly 2,000 debit cards because of a national data breach involving Heartland Payment Systems. Several years ago, a local franchise chain had an employee stealing card data information and then stealing funds through the use of counterfeit cards using the stolen data. In both of these cases, the information was stored by the merchants in violation of the PCI Data Security Standards.
States Senators and House Representatives are being asked to support this legislation. A public hearing is currently scheduled this Wednesday (April 8th) in Montgomery on this bill. I will be there at this hearing and I look forward to sharing the outcome of this legislation. - Greg Olmsted.