Nevada Mandates PCI Standard

[security curmudgeon <jericho () attrition org>]

http://www.boazgelbord.com/2009/06/nevada-mandates-pci-standard.html

Saturday, June 20, 2009
Nevada Mandates PCI Standard

Nevada has recently passed a law mandating PCI compliance for companies 
accepting payment cards that do business in the state. It is scheduled to 
go into effect on January 1st, 2010.

This makes Nevada the very first state to actually mandate PCI. The prize 
for toughest-state-data-security-law used to belong to Massachusetts. But 
Mass has recently been wavering and its technical requirements are almost 
non-existent compared to PCI.

The Nevada law is no reason to panic and doesnt really change much for 
companies dealing with credit card data. Those companies already have a 
contractual obligation to adhere to PCI. The Nevada law ups the ante by 
making this an actual legal requirement, but the standard itself remains 
the same. And as far as actual enforcement goes, the Nevada law says 
nothing about penalties whereas PCI has the ability to fine non-compliant 
companies.

The bigger change is for companies that deal with non-credit card personal 
data. The Nevada law defines nonpublic personal information as a social 
security number, drivers license number, or account number in combination 
with a password. It mandates the use of encryption for the transfer of 
such data outside of a company's control (this requirement existed in 
various forms in previous Nevada legislation as well).

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php