Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Government Security Your Rights Online

Data Breach Could Test Massachusetts Law 73

Posted by CmdrTaco
from the keeping-the-secrets dept.
Gunkerty Jeb writes "The Massachusetts Attorney General has been notified that financial data on 1,800 residents was exposed in a database breach linked to the CitySights NY sightseeing firm. Could this be the test case for enforcement of the State's nine month-old data privacy law? The leak of financial information on more than 100,000 customers of the CitySights sightseeing tour company could prove to be an early test of the nation's strongest data privacy law."
This discussion has been archived. No new comments can be posted.

Data Breach Could Test Massachusetts Law

Comments Filter:
  • by PatPending (953482) on Tuesday December 21, 2010 @06:52PM (#34635912)

    Not law but:

    Penalties for Non-compliance

    25. Are there fines associated with non-compliance of the PCI Data Security Standards?

    Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.

    26. Are there fines if cardholder data is compromised?

    Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:

    • Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies).
    • All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
    • Cost of re-issuing cards associated with the compromise.
    • Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

    Source: https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25 [wellsfargo.com]

  • by PatPending (953482) on Tuesday December 21, 2010 @06:55PM (#34635932)
    The credit card merchant services provides a hash value that is subsequently used. You may store the expiration date and last four digits.
  • by Anonymous Coward on Tuesday December 21, 2010 @07:03PM (#34636018)

    You can store card data, but not the CVV2 info. There are requirements about how that data is stored, but CVV2 cannot be stored. Ever. Even encrypted. That's the point. And you don't have to have the CVV2 to process transactions, it just helps prove it isn't a fraudulent transaction. This is to help make the physical card (or whoever holds it) the only source of this information. That's the theory anyway. It rarely works that way in practice, of course.

The tree of research must from time to time be refreshed with the blood of bean counters. -- Alan Kay

Working...