California tends to lead the nation in many instances, signaling trends that can eventually head east. The state was the first to enact a security breach notification law, which required organizations to notify customers if a security breach could have exposed personal information such as Social Security, credit card and driver's license numbers.
Now California is considering a bill that would require organizations that accept credit and debit cards to follow some of the Payment Card Industry (PCI) Data Security Standard or face paying the costs associated with any security breach. The standard, developed by the five big credit card companies, are rules organizations should follow in protecting credit card transactions, such as installing a firewall and encrypting the transmission of sensitive information across public networks, among other requirements.
The rules are not mandatory, although credit card companies can levy fines or suspend the credit card processing services for merchants who do not follow the rules. Still, the vast majority of organizations that accept credit-card payments do not fully comply with the standard. Visa reported last month that of the largest merchants in the United States (those accepting more than 6 million credit-card transactions a year), only 35 percent are compliant. That's why the California legislature is considering a bill, known as AB 779, which would make the standard mandatory.
The bill has the support of the California Credit Union League. Banks typically have to shoulder the financial cost of notifying customers that their credit card numbers could have been stolen and the cost of replacing the cards -- all of which can cost more than $1 million per breach, according to a California State Senate report.
The bill would apply only to California residents, but because one out of 10 Americans live in California, the law would become a defacto standard for the nation. If any organization wants to do business with a California resident (and in today's online business world, the chances are high that that would happen), then they would have to follow the law. Minnesota passed a similar law earlier this year.
Because so few private-sector companies follow the PCI standard, it is most likely that government agencies that accept credit-card payments do not follow the standard as well. As it has happened with past state information security and privacy bills, a similar federal bill that could apply to federal agencies may be in the future.