Minnesota Legislature
HF 1758
1st Unofficial Engrossment - 85th Legislature (2007 - 2008) Posted on 12/15/2009 12:00am
KEY: stricken = removed, old language.
underscored = added, new language.
1.2relating to commerce; regulating access devices; establishing liability for
1.3security breaches; providing enforcement powers; proposing coding for new law
1.4in Minnesota Statutes, chapter 325E.
1.5BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
1.6 Section 1. [325E.64] ACCESS DEVICES; BREACH OF SECURITY.
1.7 Subdivision 1. Definitions. (a) For purposes of this section, the terms defined in this
1.8subdivision have the meanings given them.
1.9 (b) "Access device" means a card issued by a financial institution that contains a
1.10magnetic stripe, microprocessor chip, or other means for storage of information which
1.11includes, but is not limited to, a credit card, debit card, or stored value card.
1.12 (c) "Breach of the security of the system" has the meaning given in section 325E.61,
1.13subdivision 1, paragraph (d).
1.14 (d) "Card security code" means the three-digit or four-digit value printed on an access
1.15device or contained in the microprocessor chip or magnetic stripe of an access device
1.16which is used to validate access device information during the authorization process.
1.17 (e) "Financial institution" means any office of a bank, bank and trust, trust company
1.18with banking powers, savings bank, industrial loan company, savings association, credit
1.19union, or regulated lender.
1.20 (f) "Microprocessor chip data" means the data contained in the microprocessor
1.21chip of an access device.
1.22 (g) "Magnetic stripe data" means the data contained in the magnetic stripe of an
1.23access device.
1.24 (h) "PIN" means a personal identification code that identifies the cardholder.
2.1 (i) "PIN verification code number" means the data used to verify cardholder identity
2.2when a PIN is used in a transaction.
2.3 (j) "Service provider" means a person or entity that stores, processes, or transmits
2.4access device data on behalf of another person or entity.
2.5 Subd. 2. Security or identification information; retention prohibited. No person
2.6or entity conducting business in Minnesota that accepts an access device in connection
2.7with a transaction shall retain the card security code data, the PIN verification code
2.8number, or the full contents of any track of magnetic stripe data, subsequent to the
2.9authorization of the transaction or in the case of a PIN debit transaction, subsequent
2.10to 48 hours after authorization of the transaction. A person or entity is in violation of
2.11this section if its service provider retains such data subsequent to the authorization of
2.12the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after
2.13authorization of the transaction.
2.14 Subd. 3. Liability. Whenever there is a breach of the security of the system of a
2.15person or entity that has violated this section, or that person's or entity's service provider,
2.16that person or entity shall reimburse the financial institution that issued any access devices
2.17affected by the breach for the costs of reasonable actions undertaken by the financial
2.18institution as a result of the breach in order to protect the information of its cardholders
2.19or to continue to provide services to cardholders, including but not limited to, any cost
2.20incurred in connection with:
2.21 (1) the cancellation or reissuance of any access device affected by the breach;
2.22 (2) the closure of any deposit, transaction, share draft, or other accounts affected
2.23by the breach and any action to stop payments or block transactions with respect to the
2.24accounts;
2.25 (3) the opening or reopening of any deposit, transaction, share draft, or other
2.26accounts affected by the breach;
2.27 (4) any refund or credit made to a cardholder to cover the cost of any unauthorized
2.28transaction relating to the breach; and
2.29 (5) the notification of cardholders affected by the breach.
2.30The financial institution is also entitled to recover costs for damages paid by the financial
2.31institution to cardholders injured by a breach of the security of the system of a person or
2.32entity that has violated this section. Costs do not include any amounts recovered from
2.33a credit card company by a financial institution. The remedies under this subdivision
2.34are cumulative and do not restrict any other right or remedy otherwise available to the
2.35financial institution.
3.1EFFECTIVE DATES; APPLICATION.Subdivisions 1 and 2 are effective August
3.21, 2007. Subdivision 3 is effective August 1, 2008, and applies to breaches of the security
3.3of a system occurring on or after that date.
1.3security breaches; providing enforcement powers; proposing coding for new law
1.4in Minnesota Statutes, chapter 325E.
1.5BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
1.6 Section 1. [325E.64] ACCESS DEVICES; BREACH OF SECURITY.
1.7 Subdivision 1. Definitions. (a) For purposes of this section, the terms defined in this
1.8subdivision have the meanings given them.
1.9 (b) "Access device" means a card issued by a financial institution that contains a
1.10magnetic stripe, microprocessor chip, or other means for storage of information which
1.11includes, but is not limited to, a credit card, debit card, or stored value card.
1.12 (c) "Breach of the security of the system" has the meaning given in section 325E.61,
1.13subdivision 1, paragraph (d).
1.14 (d) "Card security code" means the three-digit or four-digit value printed on an access
1.15device or contained in the microprocessor chip or magnetic stripe of an access device
1.16which is used to validate access device information during the authorization process.
1.17 (e) "Financial institution" means any office of a bank, bank and trust, trust company
1.18with banking powers, savings bank, industrial loan company, savings association, credit
1.19union, or regulated lender.
1.20 (f) "Microprocessor chip data" means the data contained in the microprocessor
1.21chip of an access device.
1.22 (g) "Magnetic stripe data" means the data contained in the magnetic stripe of an
1.23access device.
1.24 (h) "PIN" means a personal identification code that identifies the cardholder.
2.1 (i) "PIN verification code number" means the data used to verify cardholder identity
2.2when a PIN is used in a transaction.
2.3 (j) "Service provider" means a person or entity that stores, processes, or transmits
2.4access device data on behalf of another person or entity.
2.5 Subd. 2. Security or identification information; retention prohibited. No person
2.6or entity conducting business in Minnesota that accepts an access device in connection
2.7with a transaction shall retain the card security code data, the PIN verification code
2.8number, or the full contents of any track of magnetic stripe data, subsequent to the
2.9authorization of the transaction or in the case of a PIN debit transaction, subsequent
2.10to 48 hours after authorization of the transaction. A person or entity is in violation of
2.11this section if its service provider retains such data subsequent to the authorization of
2.12the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after
2.13authorization of the transaction.
2.14 Subd. 3. Liability. Whenever there is a breach of the security of the system of a
2.15person or entity that has violated this section, or that person's or entity's service provider,
2.16that person or entity shall reimburse the financial institution that issued any access devices
2.17affected by the breach for the costs of reasonable actions undertaken by the financial
2.18institution as a result of the breach in order to protect the information of its cardholders
2.19or to continue to provide services to cardholders, including but not limited to, any cost
2.20incurred in connection with:
2.21 (1) the cancellation or reissuance of any access device affected by the breach;
2.22 (2) the closure of any deposit, transaction, share draft, or other accounts affected
2.23by the breach and any action to stop payments or block transactions with respect to the
2.24accounts;
2.25 (3) the opening or reopening of any deposit, transaction, share draft, or other
2.26accounts affected by the breach;
2.27 (4) any refund or credit made to a cardholder to cover the cost of any unauthorized
2.28transaction relating to the breach; and
2.29 (5) the notification of cardholders affected by the breach.
2.30The financial institution is also entitled to recover costs for damages paid by the financial
2.31institution to cardholders injured by a breach of the security of the system of a person or
2.32entity that has violated this section. Costs do not include any amounts recovered from
2.33a credit card company by a financial institution. The remedies under this subdivision
2.34are cumulative and do not restrict any other right or remedy otherwise available to the
2.35financial institution.
3.1EFFECTIVE DATES; APPLICATION.Subdivisions 1 and 2 are effective August
3.21, 2007. Subdivision 3 is effective August 1, 2008, and applies to breaches of the security
3.3of a system occurring on or after that date.