One of the factors in many of the high-profile security breaches is the retention of certain forms of credit card data, specifically authorization and security codes for credit cards. This information, particularly when coupled with the credit card number, is a high-value target for identity thieves. Minnesota recently enacted a law, Minn. Stat. § 325E.64, related to security breaches that is the first of its kind. In light of recent security breaches involving credit card data, Minnesota has made it illegal for businesses to retain credit card security code data, a Personal Identification Number verification code number, or the full contents of the magnetic strip on a card for more than 48 hours after a transaction is authorized. This duty applies to merchants who accept credit cards as well as their third-party service providers.
If this data is retained, and there is a security breach, the person that directly, or indirectly through a service provider, violated this law is required to reimburse the financial institution that issued the payment card for the reasonable costs that were incurred by the financial institution to protect the information of the consumer, or continue to provide services to the consumer (including reissuance of a card). A financial institution also can recover any costs paid to cardholders from a person that violates this law.
The restrictions on retention of information become effective on August 1, 2007 and the portion of the law that imposes liability becomes effective on August 1, 2008. Many other states are considering these laws and many more are expected to pass this year.