New Law Requires Minnesota Retailers To Purge Personal Information After Two Days

Minnesota retailers will soon be required by law to purge PIN numbers and credit card information after 48 hours. The new law, the the Plastic Card Safety Act, takes effect on Wednesday; beginning next year, the act will empower banks to sue retailers whose data-retention practices lead to a security breach. From the Star-Tribune:

Mara Humphrey, a lobbyist for the Minnesota Credit Union Network, which pushed for the law, said too many retailers still keep information they shouldn’t for too long. Credit unions feel the bite if there’s a breach involving members’ credit-card data, through the cost of issuing new cards.

“We wanted to create an incentive [for businesses] to do the right thing and create consequences to prevent breaches from happening in the first place,” Humphrey said.

But Buzz Anderson of the Minnesota Retailers Association considers the law a boldly “anti-retail bill” that came about without enough input from the major credit-card companies and law enforcement officials. He vows to push for changes next year.

“There’s already a punishment process in place from the credit card companies if we allow our systems to be compromised,” Anderson said. “It would be better to find a way to resolve this without having to go through the courts. I don’t want retailers to be punished again when they’ve already been the victims of identity theft.”

Identity theft would not be such a pressing public policy issue if retailers followed the system approved by credit card companies. Afraid to undermine their core business, credit card companies seldom punish violators with fines, or revoke the ability to process credit and debit card transactions. Perhaps retailers will be more concerned about your data if they fear a lawsuit from a well-funded bank.

Law may make credit-card users feel a bit more secure [Star-Tribune]
(Photo: powerbooktrance)


Edit Your Comment

  1. bonzombiekitty says:

    “…required by law to purge PIN numbers and credit card information…”

    *pet peeve* grrrr.. That’s redundant. PIN= Personal Identification Number. So “PIN number”= Personal idenitifcation number number.

  2. raybury says:

    What will this mean retailers, like Minnesota-based Target, that use not-so-new database technology to look up transactions using the credit card and UPC? What about smaller companies that still use carbons?

    The PIN I can see flushing in that time, but not the account number, in case the funds transfer hasn’t cleared that quickly, as may be the case with non-PIN transactions.

  3. backbroken says:

    Hooray! Another consumer protection law for which compliance is impossible to verify until something goes wrong.

  4. Antediluvian says:

    Unless the law allows the violated consumers to sue the merchants directly, I don’t see this law working out too well.

  5. Red_Eye says:

    So explain to me how this will work for refunds. Since most CC refunds take more than 2 days and retailers insist in a lot of cases to put it back on the original card. Or are we finally on the verge of legislating the limbo time frames out of transactions so that every Tom Dick and Harry cant keep making interest off our funds?

  6. ITRiskMan says:

    Retailes can still retain the card number, expiration date, and card name. All this does is make law requirements from the card companies that merchants not retain the stripe, pin, or CVV.

    RAYBURY: As for the carbons, none of the data merchants must not retain will appear on the carbon. It is all electronic or on the card in a non-embossed form.

    In order to settle with the card companies and handle disputes, retailers have to retain this data. Mastercard allows 12 months for disputes, Visa 18 months, and AmEx 24 months. Your data will be retained for some period, I guarantee it. If it was not retained, then card fraud would increase dramatically and costs would go up even more. The problem is keeping unnecessary data and not controlling properly the usage, retention, and storage.

    Security requirements (known as the PCI DSS) mandated by Visa, Mastercard, Discover, and AmEx already prohibit storage of the information mandated in this law. Not that MOST merchants are compliant. Maybe this will help. Maybe.

    What this will do is help the merchant banks, card issuers, and card companies further push liability for breaches to merchants. This is NOT necessarily a good thing, although there is a certain amount that needs to happen. I don;t want to debate here the extent that a company should go to to protect personal data. The bar needs to be higher than it already is, but regulation in this area will ultimately only lead to INNEFECTIVE and EXPENSIVE security controls, instead of useful ones. Not a single bit of legislated security has produced any tangible results – HIPPA, GLBA, etc. Sarbanes Oxley is even driving companies private to avoid the unbelievable costs of compliance, and the value it has really added is arguable.

    PCI DSS, a card industry mandated set of security controls is being deployed. The PCI Level 1 merchant I manage IT Risk for is is taking it seriously and has implemented some good security.

    I can’t stress this enough: If this devolves to a legal compliance issue, the security of your information WILL suffer.

    Retailers/merchants are already paying fees to cover the cost of breaches. Do you think if the costs shift to the retailers that the card companies will reduce those fees? I doubt it. But I guarantee the retailers will increase costs and we will all pay twice.

    That’s my two cents. My first comment here – long time lurker.

  7. yg17 says:

    @raybury: For a receipt lookup, a store could easily get away with storing just the last 4 of the card number and expiration date and then doing a match in their database with that and the UPC. Store the cardholder’s name too, so in the one-in-a-gajillion chance someone else with the same last 4 and same expiration date bought the exact same item as you, the cashier can just ask you for the name on the card and match it up.

    @Red_Eye: Sometimes when I return something, they ask me for my card and swipe it. I like that, I hate the idea of my credit card info being stored in a million different databases from everywhere I shop

  8. pestie says:

    @bonzombiekitty: Don’t you type your PIN number at the ATM machine? I work in IT, so I occasionally have to install or replace NIC cards, too.

    Acronymical redundancy should be punishable by a fine of up to $100.

  9. aikoto says:

    About time. Data retention is the second leading cause of identity theft and locking it down is a good first step. Most companies have no reason and no right to retain your credit card data after the transaction has completed.


  10. Trackback says:

    Starting tomorrow, a new law takes effect in Minnesota that will prohibit merchants from storing a customer’s PIN, CVV security code, or magnetic stripe information for more than 48 hours.