Governator Kills Data Protection Law

eweekhickins writes "The Governator has killed a recent data protection law in California, and it won't be back. Using a tried-and-true argument, that the bill would have 'driven up the costs of compliance, particularly for small businesses,' California Governor Arnold Schwartzenneger vetoed what some are calling one of the nation's most stringent proposed e-tail data breach security laws."

Ah! The ads!

[Anonymous Coward]

Here's the printer friendly version, with (somewhat) fewer advertisements.
http://www.eweek.com/print_article2/0,1217,a=217199,00.asp [eweek.com]
(posted as anon to avoid Karma whoring)

"It won't be back"?

[whoever57]

Perhaps the submittor or editor could refrain from lame jokes when said joke is in conflict with the article:

Schwarzenegger, in his veto message explaining why he killed the bill, left the door open to possibly signing a reworked version of the bill.

Re:Too much effort to comply IS an excuse

[Harmonious Botch]

I own a small business. I spend at least 1/3 to 1/2 of my time doing govt paperwork, or complying with some govt standard which is either 1) an obviously good business practice that does not need to be legislated or 2) irrelevant or 3) stupid or 4) #2 and #3.

These legislators live in a hypothetical world of zero risk. Any problem that they see, they try to legislate out of existence. But they don't have to pay the bills. They don't have to make the decisions of how limited resources are applied to problems.

With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him.

Laws have consequenses. And someday the consequence may be your job.

Re:"Governator"? Are we in 6th grade here?

[Martin Blank]

Then-Lt. Gov. Cruz Bustamante was the biggest candidate that he faced, and that was a very, very poor choice.

Schwarzenegger is widely regarded in business circles as savvy and intelligent, and before he made his biggest money in Hollywood, he'd become fairly wealthy in real estate. However, he ran as a moderate Republican and has turned out to be more liberal in many ways than the Democrat that he replaced. At least we get to see most of the bad deals that he makes, as opposed to Davis's multitude of closed-door, secret meetings selling off the state's future.

Re:Levels of Compliance?

[MtlDty]

Actually, thats the way it currently does work according to the PCI-DSS. There are four levels of compliancy, and although the compliancy points across all levels are similar, the accreditation is more difficult at the higher levels (requires certification from independant Qualified Security Assessor).

I think most of the EFT industry sees this move by Arnie as the correct thing. The payment card industry 'PCI Co' (mainly Visa and MasterCard) already has mandated merchants must comply with the Data Security Standard. They also have the means to force non-compliance fees on merchants, through their acquiring banks.

In short, there's no need to add layers of government bureaucracy to the mix - it would just cost the tax payer for something that the card industry should be able to manage, and add extra levels of confusion to what is already a difficult landscape of compliancy.

Re:PCI Standards

[azrider]

Firstly, most of the acquiring banks actually request that the merchants keep card number data for *at least* 6 months after the original transaction. This is to allow the cardholder time to make a chargeback, and for the acquiring bank to make enquiries with the merchant about the transaction. Some acquirers have much longer data retention periods.

See the above referenced standard https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm [pcisecuritystandards.org]. The only required information is merchant ID, merchant transaction number, authorization transaction ID, authorization number and amount.

So the full card number is required for a) initial authorization request, typically taken when the cardholder places the order,

Yes

b) reauthorisation prior to dispatch (typically required when the order has taken more than a week or so to process - if the card is not re-authed the merchant may face chargeback. This varies between card issuers and acquirers.)

No

c) Settlement, ie when the merchant actually banks the money. For this the merchant sends an end of day settlement file containing card number and authorization details.

No

d) Then, as mentioned most acquirers request the details are kept for at least six months to allow for Request For Information queries about the transaction.

The acquirer (if you are referencing the agent who actually provides the authorization) may request but may not require the information to be kept, since all necessary information is provided by the data that I stated

Again, look at the standard before you post a critique.

Spelt his name wrong, of course.

[Paperweight]

Sorry, I browsed for another post to mod-up but nobody made the point that Schwarzenegger was spelt wrong.

Agree and disagree

[einhverfr]

Most of my customers are small businesses which also process credit cards. What you have to remember is the controversial portions of the law are *already* requirements for small businesses which process credit cards. I invite you to read the PCI-DSS 1.1 (and yes, there are a lot of non-compliant small businesses out there).

Now the PCI-DSS does not really have the force of law at the moment, but it might as well. Visa/Mastercard reserves the right to fine merchants up to half a million dollars for violations resulting in theft of sensitive cardholder information. Many smaller fines are levied against businesses who are required to certify their compliance with third parties (these are either larger businesses or those who have had past problems).

This isn't about an attack on smaller businesses. Businesses *should* be doing this already. If they don't they are already risking their continued operations. Hopefully such a law would help build awareness of these sorts of problems and help small businesses actually avoid problems. Yes, compliance is a bear, but already the costs of noncompliance, as levied by Visa/Mastercard are sufficient to drive small businesses out of business.

Re:It can be, if you want any small business

[einhverfr]

You are missing a very basic fact---

If you have a noncompliant system today, whether or not this law would have been signed, and its problems resulted in the theft of a credit card number, your small business could be fined up to $500,000 by Visa/Mastercard.

That is the cost (right now) of noncompliance. So the solution to your question is-- do your homework, evaluate what you have, and get the right system.

PCI-DSS is not as you describe.

[einhverfr]

Because of PCI compliance you have Linux/Unix admins across the country installing useless virus scanners that scan for windows viruses on their Linux/Unix machines. PCI compliance is a private initiative by the credit card companies.

Then the problem is either with the admins or that the compliance people can't read.

The PCI-DSS 1.1 states:

5.1: Deploy anti-virus software on all systems commonly affected by viruses (particularly personal
computers and servers)
Note: Systems commonly affected by viruses typically do not include UNIX-based operating
systems or mainframes.[emphasis mine]

Next time someone complains about the PCI-DSS requiring antivirus software on Linux/UNIX systems, you can point them to the fact that the standard specifically excluded these systems from the antivirus requirements.