Nevada legislators have passed a law requiring the state's businesses to comply with the entire Payment Card Industry Data Security Standard if they're going to collect credit card information. Bank Info Security reports that the law, which is the first of its kind, may become a model for similar measures elsewhere as other states get serious about privacy protections.
But Ponemon Institute founder Larry Ponemon isn't sure states need to go so far as to legislate compliance with industry standards. "PCI is a self-regulating standard," he said. "I'm sure that mandated compliance through legislation was never intended by the program founders." Similarly, research from Aite group indicates that most payment card industry execs don't think legislation is required to enforce the PCI DSS. Aite Group's Nick Holland says payment card providers should simply step up enforcement efforts.
For businesses in Nevada that are already subject to the standard, the only thing that changes is the fact that they can be held liable for non-compliance now instead of just being disqualified from accepting cards. For others, the law "raises the bar on information security." But the legislation alone won't do much to decrease fraud, according to Javelin Strategy and Research senior analyst Tom Wills. An awareness program should be implemented as well.