The One Sentence Summary:
While Governor Schwarzenegger recently vetoed a Bill that would have imposed greater obligations on retailers with respect to protection of consumer payment information, continued legislative efforts are likely and retailers remain subject to data security standards set by the Payment Card Industry.

Full Posting:
On October 17, Governor Schwarzenegger vetoed AB 779, which would have imposed greater responsibilities on retailers with respect to the storage of customer payment data, sending of customer payment data on public networks, and access to customer payment data. In addition, AB 779 would have imposed additional obligations on retailers with respect to notifying California residents whose personal information is acquired by an unauthorized person, and it would have imposed an obligation on retailers to reimburse data owners for costs incurred due to security breaches, including replacing cards and notifying customers.

AB 779 was passed by the Assembly by a vote of 68-0 and by the Senate by a vote of 30-6. In vetoing the Bill, the Governor cited ambiguities in the application of AB 779 and expressed concern that AB 779 could create a conflict with the responsibilities and liabilities already established by the Payment Card Industry (“PCI”), which is composed of the five major credit card brands.

The PCI security standards are minimum compliance and validation guidelines applicable to organizations that accept payment card transactions. They include guidelines for maintenance of a secure network; protection of cardholder data; maintenance of a vulnerability management program; implementation of access control measures; regular monitoring and testing of networks; and maintenance of an information security policy. The PCI standards are not enforced by PCI. Rather, individual payment card companies have the ability to enforce the standards, including by subjecting retailers to fines or revocation of card processing privileges for failure to comply. Additional information regarding PCI compliance can be found at http://www.pcicomplianceguide.org/.

Despite the Governor’s veto of AB 779, he acknowledged the need to protect consumer financial information. The Governor also encouraged the Bill’s author and the credit card industry “to work together on a more balanced legislative approach.”

What does the veto of AB 779 mean for California retailers? First, irrespective of the Governor’s veto, retailers are required to become PCI compliant or they risk fines or suspension of credit card processing privileges. If a retailer is not PCI compliant, efforts to gain compliance should begin immediately. Second, retailers can expect a second attempt by the California Legislature in 2008 at imposing additional obligations on retailers with respect to maintaining and protecting customer payment information. Becoming PCI compliant is an initial step in preparing for potential legislative enactments.