Data Breach Could Test Massachusetts Law 73
Gunkerty Jeb writes "The Massachusetts Attorney General has been notified that financial data on 1,800 residents was exposed in a database breach linked to the CitySights NY sightseeing firm. Could this be the test case for enforcement of the State's nine month-old data privacy law? The leak of financial information on more than 100,000 customers of the CitySights sightseeing tour company could prove to be an early test of the nation's strongest data privacy law."
Re:Violation of Payment Card Industry regulations? (Score:5, Informative)
Not law but:
Penalties for Non-compliance
25. Are there fines associated with non-compliance of the PCI Data Security Standards?
Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.
26. Are there fines if cardholder data is compromised?
Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:
Source: https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25 [wellsfargo.com]
Re:Violation of Payment Card Industry regulations? (Score:5, Informative)
Re:Violation of Payment Card Industry regulations? (Score:2, Informative)
You can store card data, but not the CVV2 info. There are requirements about how that data is stored, but CVV2 cannot be stored. Ever. Even encrypted. That's the point. And you don't have to have the CVV2 to process transactions, it just helps prove it isn't a fraudulent transaction. This is to help make the physical card (or whoever holds it) the only source of this information. That's the theory anyway. It rarely works that way in practice, of course.