There's an interesting thread in the PCI DSS discussion group regarding an acquirer asking their merchants to sign an agreement which makes the merchant responsible for the security of their service providers. This is consistent with the Minnesota Plastic Card Security Act, which is the first bill of its kind to mandate certain portions of the PCI DSS, notably the prohibition on the storage of sensitive authentication data. Has anyone had experience with this law yet? If so, how is it impacting your compliance efforts?

Since the real teeth of the law does not go into effect until July 1, 2008, it's really having little effect. Our clients in Minnesota are just conducting business as usual and continuing to go through their existing PCI compliance efforts.

I do know of some companies that are being effected by the law, in that they're already incorporating it into their compliance efforts. There appears to be little impact there in that it essentially prohibits already forbidden behavior (ie storage of prohibited data). It will be interesting to witness the enforcement of the law - it has some provisions that can be interpreted to make merchants responsible for the non-compliance of service providers. Are your clients in Minnesota having any luck getting documentation of compliance out of their service providers?

I am also interested in the discussion, if any, going on around the law and any others of its ilk. California's effort at a similar law was shot down, and TX is expected to resume debate about such a law when its legislature re-convenes.

Compliance information out of service providers? A few will provide a letter indicating they are compliant. Fewer still will provide a copy of their Visa Confirmation Of Report Accuracy (CORA) or MasterCard Certificate Of Validation (COV). The majority will tell a merchant it's none of their business which is reasonable given the PCI SSC says that you are only responsible for monitoring those entities downstream from you, not upstream.

All of our clients are complying with the PCI DSS and are not obsessing about what Minnesota's legal industry is up to. Our clients' assumption is regardless of the success of their PCI compliance efforts, if a breach occurs somewhere in their processing chain, they will likely get sucked into the legal fray anyway. So, there's no reason to worry about it until it happens.

It will be interesting to see how this will play out. As I've stated earlier, I would think that it will be legally difficult to enforce any provisions that might attempt to make a merchant responsible for an upstream organization's breach. All I can see is a legal argument similar to the one that was used by that woman's lawyer that dumped McDonald's coffee in her lap and then stated she didn't know it was hot. Juries tend to buy into that sort of nonsense, but the multi-million dollar verdict was overruled on appeal. So, I'm guessing that when they try to pin a breach in an organization upstream on one or more downstream organizations, they might get the lower court win but it will ultimately be overturned on appeal. Unfortunately, only the lawyers will win (big professional fees) and everyone else will lose (higher costs).