Focus on Data Retention, Storage and Destruction

Merchants with customers in Minnesota have another reason to step up their efforts to comply with the PCI Data Security Standards. A new Minnesota law, the first of its kind, imposes strict liability on merchants for costs incurred by financial institutions associated with a card security breach. Effective August 1, 2007, the Plastic Card Security Act bill requires that merchants with Minnesota residents as customers must have implemented Requirement 3 of the PCI security requirements. Requirement 3 prohibits storage of "sensitive authentication data," which includes magnetic stripe data, card validation codes, PINs, and encrypted PIN blocks. The law requires destruction of all such data immediately following a transaction. The provisions imposing strict liability take effect August 1, 2008. Similar bills are pending in the legislatures of California, Texas, Illinois, Connecticut and Massachusetts, and could very well be the next wave of data security legislation. Meanwhile, other efforts are underway to assist companies who must store sensitive business data. Computerworld reports on software that is being developed which takes critical data and cuts it up into anywhere from four to 128 "slices" that can be sent and stored securely in one or more locations. Computerworld Such software would be helpful for companies who need to better secure remote users, or for banking companies where long-time and easily retrievable storage of customer data is essential to their business. Clearly, recognition that proper data retention,storage and destruction is key to prevention of security breaches is finally getting its due.