Minnesota retailers will soon be required by law to purge PIN numbers and credit card information after 48 hours. The new law, the the Plastic Card Safety Act, takes effect on Wednesday; beginning next year, the act will empower banks to sue retailers whose data-retention practices lead to a security breach. From the Star-Tribune:
Mara Humphrey, a lobbyist for the Minnesota Credit Union Network, which pushed for the law, said too many retailers still keep information they shouldn’t for too long. Credit unions feel the bite if there’s a breach involving members’ credit-card data, through the cost of issuing new cards.
“We wanted to create an incentive [for businesses] to do the right thing and create consequences to prevent breaches from happening in the first place,” Humphrey said.
But Buzz Anderson of the Minnesota Retailers Association considers the law a boldly “anti-retail bill” that came about without enough input from the major credit-card companies and law enforcement officials. He vows to push for changes next year.
“There’s already a punishment process in place from the credit card companies if we allow our systems to be compromised,” Anderson said. “It would be better to find a way to resolve this without having to go through the courts. I don’t want retailers to be punished again when they’ve already been the victims of identity theft.”
Identity theft would not be such a pressing public policy issue if retailers followed the system approved by credit card companies. Afraid to undermine their core business, credit card companies seldom punish violators with fines, or revoke the ability to process credit and debit card transactions. Perhaps retailers will be more concerned about your data if they fear a lawsuit from a well-funded bank.
Law may make credit-card users feel a bit more secure [Star-Tribune]