Saturday, June 20, 2009

Nevada Mandates PCI Standard

Nevada has recently passed a law mandating PCI compliance for companies accepting payment cards that do business in the state. It is scheduled to go into effect on January 1st, 2010.

This makes Nevada the very first state to actually mandate PCI. The prize for toughest-state-data-security-law used to belong to Massachusetts. But Mass has recently been wavering and its technical requirements are almost non-existent compared to PCI.

The Nevada law is no reason to panic and doesn’t really change much for companies dealing with credit card data. Those companies already have a contractual obligation to adhere to PCI. The Nevada law ups the ante by making this an actual legal requirement, but the standard itself remains the same. And as far as actual enforcement goes, the Nevada law says nothing about penalties whereas PCI has the ability to fine non-compliant companies.

The bigger change is for companies that deal with non-credit card personal data. The Nevada law defines nonpublic personal information as a social security number, driver’s license number, or account number in combination with a password. It mandates the use of encryption for the transfer of such data outside of a company's control (this requirement existed in various forms in previous Nevada legislation as well).

One would hope that there aren’t too many companies out there sending account information together with passwords unencrypted. That leaves full Social Security Numbers and the much-less-frequently used driver’s license numbers. (Interestingly, the regulation doesn’t consider the last four digits of the SSN to be personal information. Which is kind of strange when you consider that the last four digits are the most random parts of the number. Oh well).

I suspect there are many companies out there with Nevada customers who will have to play some catch-up when it comes to SSNs. Full SSNs are still frequently used as a primary identifier for many web services related to payroll and benefits as well as many services that have nothing to do with taxes.

Most of these services already encrypt data on the interface level – it is the exception rather than the rule today to see a plain old http login page that asks for your SSN. It’s much tougher to know what is going on behind the scenes. But does the Nevada law really require companies to change their back-end data processing?

Because the law only talks about the “secure system” and the area “beyond the logical or physical controls of the data collector”, it is doubtful that this regulation requires any sort of SSL encryption of data that is not going out in cleartext over public networks. Data behind firewalls or behind some form of password protection would not appear to require encryption based on this wording.

One positive potential outcome of the Nevada law is that it may encourage organizations to move away from using SSNs when they don’t have to (a trend that has already been underway for a while, particularly at universities). There is something particularly jarring about being asked to provide your SSN to get cable service. Strict new rules around handling SSNs may be the necessary kick in the pants for SSN-addicted companies to finally overhaul their authentication methods.

One final thought about the Nevada law itself. In what I believe is a first for state laws, it directly references FIPS, NIST, and other “established standards bodies” when discussing allowable encryption methods. Most data breach notification laws give an exemption for encrypted data without giving any meaningful definition of the term. This has allowed companies to avoid notifying of a data breach when the compromised data was somehow obfuscated. This law will make it harder to claim that some light obfuscation or encoding actually constitutes encryption.

SO…DO I NEED TO BUY SOMETHING TO MAKE THIS GO AWAY?

Companies that sell encryption products have a field day with laws like this. But - like other data security regulation - you don’t need to buy anything to be in compliance with the Nevada data security law. You just need to make sure that you are not sending sensitive data in cleartext over public networks. This means a bit more messing around with certificates and configurations prior to releases but not much more. And of course you also need to make sure that anywhere you are storing this data at rest is considered part of your “secure system” or has some logical or physical controls in place.

FURTHER READING

The actual text of Nevada Senate Bill 227 can be found here.

A good overview of the evolution of data security legislation by Andrew Baer can be found here.

UPDATE: My newest post on this topic can be found here. You can also listen to my interview with Ira Victor who testified before the Nevada Senate Committee on Judiciary in support of the bill.

8 comments:

  1. Just a clarification, The Payment Card Industry Security Standards Council (PCI SSC) only governs the standard. They do not enforce the standards, or access fees or fines. The fees and fines are issued by the card brands individually.

    ReplyDelete
  2. Thanks for clarifying, I wasn't clear enough on this point in the post. As you correctly point out the PCI Council itself neither enforces the standard nor issues fines.

    ReplyDelete
  3. This law is reeeaallly dumb. Small business have enough problem in this economy.

    ReplyDelete
  4. This law raises an interesting question. I scanned the legislation and did not see the answer.

    Section 1, Paragraph 1: If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) ...

    If an e-Commerce merchant accepts an Internet transaction from a Nevada resident (or just someone passing through for that matter) is that e-Commerce merchant 'doing business' in the state of Nevada? I would say, in the strict application of the language, yes he is. Therefore he has violated Nevada law if he's not in compliance.

    I think the point needs clarification.

    Tom Mahoney, Director
    Merchant911.org
    Protecting e-commerce from fraud since 2001

    ReplyDelete
  5. Thanks for raising this interesting point Tom. I think that any company that has online sales in Nevada would be considered to be doing business in Nevada. So from a practical perspective I think this legislation applies to more or less every company that sells nationwide.

    On a related note, it will be interesting to see whether this legislation will be replicated in other states (in the way that for example California's breach notification law cascaded across the country). More state laws mandating PCI would probably make companies prioritize this issue. It would also put a (long overdue) spotlight on the role of PCI assessors and their liability for breaches. The Nevada law seems to imply that certified companies are not liable for breaches unless there is gross negligence or intentional misconduct (a very high bar to demonstrate).

    ReplyDelete
  6. Its going to be very interesting to see how many other states will follow with similiar legislation requiring compliance with the PCI Standards when processing payment cards.

    ReplyDelete
  7. I would be curious if this law exposes all the trade shows and events that process credit cards and personal data at the convention centers in exchange for access (badges). We are one of the largest processors of trade show attendee data and happy to report that we are fully PCI certified and have a current Report on Compliance (ROC).
    Terence
    Experient

    ReplyDelete
  8. A lot of states are now PCI DSS compliant. For me, this is a good move for every company. This will ensure clients' and consumers' safety. The incidence of identity theft and fraud will surely be lessened if not, eradicated. PCI compliance is actually a must for every merchant that accepts credit card payments.

    Penetration Testing

    ReplyDelete