Nevada Mandates PCI DSS Compliance
Nevada Implements PCI DSS Into State Law
Beginning January 1, 2010, the state of Nevada will mandate PCI DSS compliance for businesses accepting credit cards. In so doing, Nevada will become the first state to transform the PCI DSS requirements into law.
With non-compliant businesses already facing steep financial penalties, as well as risks of not being able to accept credit cards and lawsuits (almost sure to follow any data security breach), non-compliance with PCI DSS would seem sufficiently punitive already. But with states like Nevada making law of PCI DSS, PCI compliance will certainly take on a new level of visibility and, perhaps, controversy.
The tendency of most will be to assume that Nevada’s law is in place to further penalize non-compliant businesses. This isn’t the case entirely. Nevada’s law will actually serve to shield PCI compliant businesses from additional liability should a data security breach occur and litigation ensue. Nevada’s new law will provide relief for Nevada businesses (at least those that accept or process credit card payments) by protecting compliant companies from potentially bankrupting lawsuits.
In this way, Nevada’s transformation of PCI DSS into law (as an additional amendment to NRS 603A) will serve as both additional protection for PCI compliant businesses and further penalty for those non-compliant. Should a Nevada company suffer a credit card data security breach, its PCI compliance will determine its fate, both with the Payment Card Industry and in the courts.
PCI DSS originated from the alliance of the major credit card companies. The Payment Card Industry Security Standards Council (PCI SSC) is a business consortium charged (forgive the pun) with regulating and standardizing the processes by which merchants protect credit card data. Not often are the industry standards of such a consortium adopted as law but, with Nevada doing just that, we could witness other states following suit. As Heather Mark from The Aegenis Group pointed out in her June 22 blog:
We are likely to see again the phenomenon that followed California’s passing of SB 1386, which introduced the country to Data Breach Notification Laws. In the wake of that legislation, a domino effect occurred, in which 45 states followed suit.
Should states mandate PCI DSS as law? Weigh in by commenting below.