Devoted to Corporate Attorneys, Corporate Lawyers, and Corporate Counsel

The following is not meant to be legal advice.

Companies with customers in Minnesota no longer should retain credit or debit card security data after the authorization of a transaction.  The law on this matter went into effect on August 1, 2007. The law is called the Plastic Card Security Act.

The Plastic Card Security Act defines credit or debit card security data as the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data.

If a company retains security data subsequent to the authorization of the transaction and there is a security breach, the company will be held strictly liable for any damages caused by the breach. This means liability will follow without a plaintiff having to prove that the business was negligent. Businesses are responsible for violations by their service providers.  This means if a company uses a third party such as Cybersource to work with the data, the company remains liable for the security breach.  This circumvents some companies from thinking that they have decreased privacy responsibilities because they are not handling the data themselves.

The law may sure make it difficult for businesses who have operations throughout the world because they realize that they need to follow the law though not located in Minnesota.