Tag Archives: Payment Card

California Supreme Court Finds that ZIP Codes Are Personal Identification Information Under Song-Beverly Act

Posted on February 14, 2011 by Hunton & Williams LLP

On February 10, 2011, the California Supreme Court ruled in Pineda v. Williams-Sonoma Stores, Inc. that ZIP codes are “personal identification information” under the state’s Song-Beverly Credit Card Act of 1971 (the “Credit Card Act”). This finding effectively prohibits California businesses from requesting and recording cardholders’ ZIP codes during credit card transactions.

Tags: California, Consumer Protection, Payment Card

Addition to Washington Breach Law Imposes Retailer Liability in Payment Card Breaches

Posted on March 24, 2010 by Hunton & Williams LLP

Under a Washington law effective July 1, 2010, certain entities involved in payment card transactions may be liable to financial institutions for costs associated with reissuing payment cards after security breaches. Designed to encourage the reissuance of payment cards as a means of mitigating harm caused by security breaches, Washington H.B. 1149 applies to three types of entities: businesses, processors and vendors. Under the law, a business is an entity that “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.” A processor is any entity, other than a business, that “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.” A vendor is any “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”

Tags: Data Processor, Payment Card, PCI DSS, Safe Harbor, Washington

Nevada and New Hampshire Data Security and Privacy Laws Take Effect

Posted on January 6, 2010 by Hunton & Williams LLP

On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire. The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.

Tags: Encryption, National Institute of Standards and Technology, Nevada, New Hampshire, Payment Card, PCI DSS, Protected Health Information

Class Action Lawsuit Against Heartland Dismissed

Posted on December 14, 2009 by Hunton & Williams LLP

The court in In re Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043 (D. N.J. Dec. 12, 2009) recently dismissed a class action lawsuit brought by investors in Heartland, a processor of payment card transactions whose stock value dropped significantly after it suffered a data security breach in which hackers allegedly stole 130 million payment card numbers. The plaintiffs argued that Heartland’s statements to the effect that it had adequate security systems and that it took the issue of computer network security very seriously were fraudulent because Heartland knew it had poor data security and failed to remedy critical problems soon enough to prevent the theft.

Tags: Class Action, Hacker, Litigation, Payment Card, Privacy Policy

Nevada Updates Encryption Law and Mandates PCI DSS Compliance

Posted on June 17, 2009 by Hunton & Williams LLP

As of January 1, 2010, Nevada law will require businesses to use encryption when data storage devices that contain personal information are moved beyond the physical or logical controls of the business, in addition to continuing to require that personal information be encrypted if it is transferred outside the secure system of the business. The new law repeals the existing Nevada encryption law, which will remain in effect until January 1, 2010. (For more information on the existing Nevada encryption law, please see our previous Client Alert.) The new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards. The law applies to organizations doing business in Nevada and provides that compliance will shield such businesses from liability for damages from a security breach. To read more, click here.

Tags: Encryption, Nevada, Payment Card, PCI DSS

Liability for Data Security Auditors

Posted on June 16, 2009 by Hunton & Williams LLP

A lawsuit that will soon commence in Arizona has the potential to alter the data breach liability landscape by making data security auditors liable for data breaches experienced by the companies they audit. The case, Merrick Bank Corp. v. Savvis Inc., has its origins in events that began in 2003, when Merrick Bank (“Merrick”) offered to hire CardSystems Solutions (“CardSystems”) to process credit card transactions for its merchant customers. The offer was contingent upon CardSystems achieving certification under VISA’s Cardholder Information Security Program (“CISP”), which is the predecessor to the Payment Card Industry Data Security Standard (“PCI DSS”). Savvis audited CardSystems in 2004 and found that it had “implemented sufficient security solutions” and followed “industry best practices.” VISA certified CardSystems shortly after receiving Savvis’ audit report. In 2005, CardSystems revealed that it had experienced an information security breach that compromised forty million payment cards.

Tags: Cybersecurity, Encryption, Homeland Security, Liability, Payment Card, PCI DSS

Privacy and Information Security Law Blog - Global privacy and information security law updates and analysis

Tag Archives: Payment Card

California Supreme Court Finds that ZIP Codes Are Personal Identification Information Under Song-Beverly Act

Addition to Washington Breach Law Imposes Retailer Liability in Payment Card Breaches

Nevada and New Hampshire Data Security and Privacy Laws Take Effect

Class Action Lawsuit Against Heartland Dismissed

Nevada Updates Encryption Law and Mandates PCI DSS Compliance

Liability for Data Security Auditors

Published By Hunton & Williams

Search

Subscribe

Topics

Recent Updates

Blogroll

Privacy News