Last Monday, Washington passed HB 1149 which holds payment processors, businesses, and vendors who fail to protect against unauthorized access to consumers' credit and debit card account information responsible for financial institutions' costs of reissuing credit and debit cards in the event of a breach. Payment processors, businesses, and vendors can, however, receive safe harbor under the statute if (1) the account information was encrypted at the time of the breach or (2) if the processor, business, or vendor was certified as PCI DSS compliant at the time of the breach. The law goes into effect July 1, 2010.
This law applies to "account information," which is (1) the full, unencrypted magnetic stripe of a credit or debit card, (2) full, unencrypted account information contained on an identification device (a device using RFID or facial recognition technology), or (3) the unencrypted primary account number on a credit or debit card or identification device, plus the unencrypted cardholder name, expiration date, or service code.
This law applies three sets of entities:
§ Processors: any individual or entity that directly processes or transmits account information for or on behalf of another person as part of a payment processing system
§ Businesses: any individual or entity that processes more than six million credit or debit card transactions annually and who provides, offers, or sells goods or services to Washington residents
§ Vendors: any individual or entity that manufactures and sells software or equipment designed to process, transmit, maintain, or store account information
In the event of a breach of account information, processors and business that have failed to take reasonable care to guard against unauthorized access to the account information they possess or control will be responsible for reimbursing financial institutions for the cost of reissuing the credit or debit cards to Washington residents whose cards were subject to the breach. A vendor is also liable for the costs of this reissuance, but only to the extent that its negligence caused the damages and its liability was not limited or foreclosed by another provision of law or by contract. If more than one entity fails to taking reasonable care within the context of a single breach, a court will determine the percentage of responsibility for each and apportion liability accordingly.
To gain safe harbor immunity against this potential liability, processors, business, and vendors can either (1) encrypt all account information so that, in the event of a breach, any unauthorized access will only obtain encrypted account information or (2) become certified as compliant with the PCI DSS standards adopted by the payment card industry.
With this law, Washington now becomes the third state, along with
Nevada and
Minnesota, to effectively translate the PCI DSS industry standards into a statutory requirement. The law also adopts a cost-shifting framework under which financial institutions can, after a fact-intensive court process, shift the cost of generating and issuing new credit and debit cards (and the attorneys' fees and court costs associated with the litigation) onto the processor, business, or vendor determined to be responsible for the breach of account information. These potential liabilities provide strong incentives for processors, businesses, and vendors that have not already adopted the PCI DSS standard or that do not encrypt account information to do so.