The Battle over California's AB779
The San Francisco Chronicle writes an editorial in favor of Assembly Bill 779 authored by Assemblyman Dave Jones. The bill has passed both houses of the California legislature and is awaiting signing by Governor Arnold Schwarzenegger. Retailers are urging the governor not to sign the bill.
Among other requirements in the bill that mostly mirror those of PCI-DSS including a requirement that retailers in the state encrypt the transmission of payment-related data. Beginning July 1, 2008 in California, one cannot "send payment-related data over open, public networks unless the data is encrypted using strong cryptography and security protocols or otherwise rendered indecipherable." Payment-related data is defined as "account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account."
Stumble It!
I wonder when the merchants are going to revolt and stop taking credit cards because they are having to foot the bill for securing the card brand's weak MSR products.
Posted by: Scott Spiker | September 20, 2007 at 06:18 AM
In AB 779, proposed Civil Code Section 1724.4(b) is poorly drafted and confusing. It is not clear whether 1724.4(b) covers Internet and mail-order merchants (although the legislature probably did desire to cover those merchants). 1724.4(b)(2) is muddled about what does and does not constitute "sensitive authentication data" that a merchant is forbidden from storing. A literal reading of the words of 1724.4(b)(2) would forbid merchants from storing zip codes, even though Internet and mail-order merchants need to store zip codes for operational purposes. Pending Section 1724.4(b)'s poorly crafted language will be a roadblock as innovators try to invent the next PayPal. --Benjamin Wright, Dallas, Texas
Posted by: Benjamin Wright | October 04, 2007 at 11:35 AM