Minnesota has enacted the first state law requiring merchants that do not protect payment card data adequately to reimburse financial companies for losses associated with data security breaches.
The Minnesota Legislature passed the Plastic Card Security Act last week, and Gov. Tim Pawlenty signed it into law this week. It will take effect Aug. 1.
The law will require merchants to comply with the Payment Card Industry security standard, which they already must follow under their contracts with acquirers. Merchants that do not comply with the standard and experience a breach will have to cover banks' fraud losses and other costs related to the breach, such as of reissuing cards, opening and closing accounts, and notifying cardholders that they may be at risk.
Similar laws are being considered in Texas, Connecticut, and Massachusetts.
Data security and merchant liability has been a big issue in the industry since TJX Cos., the Framingham, Mass., company that owns the TJ Maxx retail stores, announced in January that its payment systems had been compromised as early as July 2005; it later said as many as 45 million cards may have been exposed in the incdient.
