Nevada recently revised its data protection law, SB 227, to essentially add the full weight of the Nevada legislature to the enforcement of PCI DSS compliance. You likely already know that. What’s interesting about it is how the new law, in addition to requiring PCI compliance, also adds language requiring encryption (which is vaguely defined as being standardized in some way) between entities, though not over private networks within an entity.
Considering that this provision is already covered in PCI (even the exclusion of private network encryption), this is yet more proof that government organizations should not be writing technically detailed security legislation.
(Read our related special report about the battle between states and retailers.)
PCI DSS emerges after an arduous (if controversial) vetting process. Since security legislation does not have to go through such as process, I remain skeptical that state, federal or international legislation can improve on what PCI DSS already provides in terms of technical detail. What Nevada is doing, enacting PCI DSS into law, makes a lot of sense from a legal perspective.
Legislators save themselves and their staff a lot of time researching and writing detailed laws, yet they still get to issue press releases about how they are protecting their constituents. In addition, by specifically saying that companies that collect data and do business in the state of Nevada must comply with the “current version” of PCI DSS, this makes the Nevada law “evergreen,” thus saving valuable trees, which Nevada certainly needs.
You can’t make this stuff up: As part of TJX’s security breach settlement, TJX is being forced to participate in “pilot programs” related to credit card security, such as chip-and-PIN, which is all the rage in Europe, and end-to-end encryption, which is all the rage among certain POS vendors and processors. To me, as I read the settlement agreement, this stuck out like a sore thumb.
Where would 41 state attorneys general get the idea of forcing TJX to participate in pilot programs as part of their settlement? I’m guessing the answer is: from TJX itself. Like any global retailer, TJX is certainly participating in chip-and-PIN programs, at least in Europe. Plus, POS vendors and processors are beating down the door of every retailer to get them to implement end-to-end encryption, or tokenization, or both.
My point is: this “punishment” for taking data that is “worth cash” and treating it “like trash,” as one desperate-to-be-quoted elected official put it, is to implement the very programs they are already implementing. Of course, the ideas for these pilot programs could have emerged from months of painstaking research into current trends in the payment industry, which culminated in a strategy to make TJX’s data security truly state-of-the-art. But, I doubt it.
Like it or hate it, the PCI DSS is the only set of data security standards out there that actually comes with an effective, ongoing validation and enforcement process. That is not true of HIPAA or the vast majority of state or national data privacy or breach disclosure laws. Enacting PCI into law may help, but actually allocating government funds to review compliance on a regular basis does not seem likely, so these laws (like the breach disclosure laws) will be ignored by all except compliance officers, vendors, consultants and security geeks.
As a security geek, I’m all in favor of anything that will help protect valuable data, as long as it incorporates solid risk management principles and has built-in enforcement mechanisms. If you find any laws or standards that do this, let me know. Do visit our website, PCI Knowledge Base, if you want to view our research. If you want to have a personal discussion about this, just send me an E-Mail at [email protected].