got privacy? Musings on the state of Privacy in a connected world.
Marcus Morissette, Managing Director, Concise Consulting
In a follow-on from an earlier post on this blog, Marcus Morissette continues to dig into the interpretation and applicabity of Washington State HB1149.
In order to understand who should be concerned about the provisions contained in this law, and who benefits from this law, we must identify the cast of characters. The following entities are defined in the law:
· Financial Institutions
· Businesses
· Processors
· Vendors
Let us review its definitions first, and then compare them with the legal definitions/obligations contained in the PCI DSS. I am going to list the definition from HB1149 and then follow it with the definition from PCI DSS.
Who benefits?
HB1149 leverages the definition of a financial institution contained in RCW 30.22.040, which states that a "Financial institution" means a bank, trust company, mutual savings bank, savings and loan association, or credit union authorized to do business and accept deposits in this state under state or federal law.
PCI DSS: In the context of the damage recovery language contained in bill, it can be assumed this means primarily issuing banks (i.e. those financial institutions that, in the event of a breach, would have damages relating to the reissuance of cards).
Who pays?
HB1149 defines a “business” as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to persons who are residents of Washington [emphasis added].
PCI DSS – Level 1 Merchants
HB1149 defines a “processor” as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity, other than a business as defined under this section, that directly processes or transmits account information for or on behalf of another person as part of a payment processing service.
PCI DSS: Level 1 and 2 Service Providers
Vendor is defined as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that manufactures and sells software or equipment that is designed to process, transmit, or store account information or that maintains account information that it does not own.
So, who really should be concerned?
So only “businesses” that are subject to these provisions are Level 1 Merchants as defined by the PCI DSS (based on a transaction volume of 6,000,000). Further, it means that all Level 1 merchants across the country that provide, sell or even “offer” goods or services to Washington residents are subject to liability, if they fail to use reasonable care to guard against unauthorized access to account information. However, the law contains a Safe Harbor provision for PCI DSS compliance, which would seem to exclude every Level 1 Merchant with an ounce of business sense and self-preservation. This is because Level 1 merchants are required to have a Qualified Security Assessor attest to their compliance with the PCI DSS annually. (See next week’s post for a discussion of Reasonable Care and Safe Harbor.)
However, as defined in HB 1149, vendors and processors of all sizes and transaction levels are liable to financial institutions for their failure to use reasonable. This means that Level 1 and 2 Service Providers as defined in the PCI DSS are subject to potential liability under this new law. However, Level 1 Services providers (300,000 transactions or VisaNet processors) are also required to have a Qualified Security Assessor attest to their compliance with the PCI DSS annually. They should be well within the Safe Harbor provisions. Level 2 service providers are allowed to validate their compliance with the PCI-DSS via a Self-Assessment Questionnaire (SAQ).
Vendors who develop payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. Such application vendors would have their development procedures and their products reviewed under the PA-DSS. Vendors that comply with the PA-DSS, should also be “compliant” and protected by the Safe Harbor provisions (again, HB1149’s Safe Harbor will be discussed in detail later).
So, a summary of these “definitions” would seem to make it about as clear as mud who is actually liable for damages under HB1149. It would appear that likely candidates are:
· Level 2 Service Providers who failed to submit a valid SAQ
· Application Vendors that were somehow able to sell, distribute or license a payment application without somehow obtaining PA-DSS compliance.
· Level 1 Merchants and Level 1 Service providers that have made the decision to not comply with the PCI-DSS, and/or who have somehow been unable to comply with it.
The liability provisions would seem to be another very good reason for all merchants and service provides to comply with the PCI DSS and to properly validate such compliance as required by the brands.
UPDATE: 8/25: Our conclusion after talking to colleagues regarding this law is that a logical next step is to engage with the legislators who drafted the law, and who are in a position to collate and present changes so that a future version may appear with these issues resolved. This may be a lengthy process, but if we make progress, it will be posted here.
In a follow-on from an earlier post on this blog, Marcus Morissette continues to dig into the interpretation and applicabity of Washington State HB1149.
In order to understand who should be concerned about the provisions contained in this law, and who benefits from this law, we must identify the cast of characters. The following entities are defined in the law:
· Financial Institutions
· Businesses
· Processors
· Vendors
Let us review its definitions first, and then compare them with the legal definitions/obligations contained in the PCI DSS. I am going to list the definition from HB1149 and then follow it with the definition from PCI DSS.
Who benefits?
HB1149 leverages the definition of a financial institution contained in RCW 30.22.040, which states that a "Financial institution" means a bank, trust company, mutual savings bank, savings and loan association, or credit union authorized to do business and accept deposits in this state under state or federal law.
PCI DSS: In the context of the damage recovery language contained in bill, it can be assumed this means primarily issuing banks (i.e. those financial institutions that, in the event of a breach, would have damages relating to the reissuance of cards).
Who pays?
HB1149 defines a “business” as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to persons who are residents of Washington [emphasis added].
PCI DSS – Level 1 Merchants
HB1149 defines a “processor” as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity, other than a business as defined under this section, that directly processes or transmits account information for or on behalf of another person as part of a payment processing service.
PCI DSS: Level 1 and 2 Service Providers
Vendor is defined as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that manufactures and sells software or equipment that is designed to process, transmit, or store account information or that maintains account information that it does not own.
So, who really should be concerned?
So only “businesses” that are subject to these provisions are Level 1 Merchants as defined by the PCI DSS (based on a transaction volume of 6,000,000). Further, it means that all Level 1 merchants across the country that provide, sell or even “offer” goods or services to Washington residents are subject to liability, if they fail to use reasonable care to guard against unauthorized access to account information. However, the law contains a Safe Harbor provision for PCI DSS compliance, which would seem to exclude every Level 1 Merchant with an ounce of business sense and self-preservation. This is because Level 1 merchants are required to have a Qualified Security Assessor attest to their compliance with the PCI DSS annually. (See next week’s post for a discussion of Reasonable Care and Safe Harbor.)
However, as defined in HB 1149, vendors and processors of all sizes and transaction levels are liable to financial institutions for their failure to use reasonable. This means that Level 1 and 2 Service Providers as defined in the PCI DSS are subject to potential liability under this new law. However, Level 1 Services providers (300,000 transactions or VisaNet processors) are also required to have a Qualified Security Assessor attest to their compliance with the PCI DSS annually. They should be well within the Safe Harbor provisions. Level 2 service providers are allowed to validate their compliance with the PCI-DSS via a Self-Assessment Questionnaire (SAQ).
Vendors who develop payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. Such application vendors would have their development procedures and their products reviewed under the PA-DSS. Vendors that comply with the PA-DSS, should also be “compliant” and protected by the Safe Harbor provisions (again, HB1149’s Safe Harbor will be discussed in detail later).
So, a summary of these “definitions” would seem to make it about as clear as mud who is actually liable for damages under HB1149. It would appear that likely candidates are:
· Level 2 Service Providers who failed to submit a valid SAQ
· Application Vendors that were somehow able to sell, distribute or license a payment application without somehow obtaining PA-DSS compliance.
· Level 1 Merchants and Level 1 Service providers that have made the decision to not comply with the PCI-DSS, and/or who have somehow been unable to comply with it.
The liability provisions would seem to be another very good reason for all merchants and service provides to comply with the PCI DSS and to properly validate such compliance as required by the brands.
UPDATE: 8/25: Our conclusion after talking to colleagues regarding this law is that a logical next step is to engage with the legislators who drafted the law, and who are in a position to collate and present changes so that a future version may appear with these issues resolved. This may be a lengthy process, but if we make progress, it will be posted here.
Add Comment
Marcus Morissette, Managing Director, Concise Consulting
HB 1149, oddly titled “Protecting Consumers from Breaches of Security” is intended to encourage financial institutions to reissue credit and debit cards to consumers when appropriate, and to permit financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data. It allows financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data.
HB 1149 amends Washington State’s current Data Breach Notification Law (19.255 RCW) [emphasis added]. According to some published commentaries, it purportedly incorporates the Payment Card Industry Data Security Standard (PCI DSS) into Washington State Law. Several aspects of the law and certain definitions contained in it, however, lead this author (an experience and trained PCI DSS security assessor) to question the drafting process and research that went into (or did not go into) HB 1149.
Instead of leveraging accepted definitions and concepts from the payment card industry, HB 1149 creates new definitions and creates new or additional liabilities for those merchants and service providers (PCI DSS definitions) already subject to the compliance requirements of the PCI DSS imposed by the card brands.
I have so many concerns with this new law that I will have to address them in a series of blog posts. The first of these will be posted tomorrow.
UPDATE 6/30
As it turns out, I did not have nearly as much time today as I thought I would to complete the second part of this post. I am now aiming for the end of this week. I plan on following with future installments in the weeks to come. The more I pull the string on this new law, the more potential issues I uncover with it. So stand by…
HB 1149, oddly titled “Protecting Consumers from Breaches of Security” is intended to encourage financial institutions to reissue credit and debit cards to consumers when appropriate, and to permit financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data. It allows financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data.
HB 1149 amends Washington State’s current Data Breach Notification Law (19.255 RCW) [emphasis added]. According to some published commentaries, it purportedly incorporates the Payment Card Industry Data Security Standard (PCI DSS) into Washington State Law. Several aspects of the law and certain definitions contained in it, however, lead this author (an experience and trained PCI DSS security assessor) to question the drafting process and research that went into (or did not go into) HB 1149.
Instead of leveraging accepted definitions and concepts from the payment card industry, HB 1149 creates new definitions and creates new or additional liabilities for those merchants and service providers (PCI DSS definitions) already subject to the compliance requirements of the PCI DSS imposed by the card brands.
I have so many concerns with this new law that I will have to address them in a series of blog posts. The first of these will be posted tomorrow.
UPDATE 6/30
As it turns out, I did not have nearly as much time today as I thought I would to complete the second part of this post. I am now aiming for the end of this week. I plan on following with future installments in the weeks to come. The more I pull the string on this new law, the more potential issues I uncover with it. So stand by…
