Nevada SB 227 - Legally Enforced PCI DSS Compliance

“If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.”

To read through the new law for yourself, please click here.

[click on an image to see an example]

BusinessRequirements - Summary of SB 227

Going into effect on January 1, 2010, this Nevada law dictates that if a “data collector doing business” in Nevada accepts payment cards in connection with a sale of goods or services, it must comply with the most current version of the Payment Card Industry Data Security Standard (PCI DSS).  PCI DSS, which requires the encryption of cardholder data when transmitted wirelessly and in certain other circumstances, is already a legally binding requirement for businesses that accept payment cards. However, Nevada is the first state to pass a law specifically enforcing the PCI DSS. A “data collector” is defined as any organization that “handles, collects, disseminates or otherwise deals with nonpublic personal information.”

A data collector to whom the PCI DSS clause does not apply (e.g. those who collect, handle or deal with personal informational in a context other than payment card transactions) are still affected by this law and must encrypt personal information transmitted electronically “through an electronic, nonvoice transmission other than a facsimile,” outside of the data collector’s secure system. It must also encrypt personal information stored on any device or medium (including any portable device or medium such as a laptop, flash or USB drive, mobile phone, CD-ROM or magnetic tape) that is moved “beyond the logical or physical controls” of the data collector or its data storage vendor.

The encryption technology defined by SB 227 must have “been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards (FIPS) issued by the National Institute of Standards and Technology (NIST).”  It must also incorporate “appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption” using guidelines issued by an established standards setting body (e.g. NIST). 

Coverage also is expanded to include employee and other non-customer Personally Identifiable Information (PII). A twist does exist in the definition of a facsimile transmission, which is normally excluded from the encryption requirement. Not only must a facsimile transmission conform to certain technical requirements laid out in the statute, but the term does not include an “onward transmission to a third device after protocol conversion, including, but not limited to, any data storage device.” Thus, a fax containing personal information that is received by a fax service and re-transmitted to a laptop or mobile phone as an e-mail may have to be encrypted.

Furthermore, the requirement to encrypt personal information on a storage device that is moved beyond the controls of the data collector or its data storage contractor imposes a clear obligation to monitor and enforce compliance by vendors. If a vendor is to be entrusted with personal information, the data collector should review the vendor’s information security program beforehand to verify compliance with the encryption requirement and should include this requirement in its contract with the vendor as well as reserving a right to audit the vendor’s information security practices for ongoing compliance.

SecurityRequirements - Legal Requirements of SB 227

An Act relating to security of personal information; requiring the compliance with certain standards or the use of encryption by data collectors when transferring personal information; and providing other matters properly relating thereto.

Legislative Counsel’s Digest:
Section 1 of this bill requires that a data collector comply with certain standards or use encryption to protect information that is either transmitted electronically or contained on a data storage device that is moved beyond the controls of the data collector. Section 1 also renders a data collector not liable for a breach of the security of the system data in certain circumstances.

Section 1. Chapter 603A of NRS is hereby amended by adding thereto a new section to read as follows:

(1). If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.
      ✓Requirement covered by the Non-Regulatory Compliance Policy

(2). A data collector doing business in this State to whom subsection 1 does not apply shall not:

    (2)(a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the
             secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or
      ✓Requirement covered by the Data Classification and Encryption Policies

    (2)(b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector or its
             data storage contractor unless the data collector uses encryption to ensure the security of the information.
      ✓Requirement covered by the Encryption Policy

(3). A data collector shall not be liable for damages for a breach of the security of the system data if:
(3)(a) The data collector is in compliance with this section; and
      ✓Requirement covered by the Non-Regulatory Compliance Policy
(3)(b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.

(4). The requirements of this section do not apply to:
(4)(a) A telecommunication provider acting solely in the role of conveying the communications of other persons, regardless of the mode of conveyance used, including, without limitation:
    (4)(a)(1) Optical, wire line and wireless facilities;
    (4)(a)(2) Analog transmission; and
    (4)(a)(3) Digital subscriber line transmission, voice over Internet protocol and other digital transmission technology.

(4)(b) Data transmission over a secure, private communication channel for:
    (4)(b)(1) Approval or processing of negotiable instruments, electronic fund transfers or similar payment methods; or
    (4)(b)(2) Issuance of reports regarding account closures due to fraud, substantial overdrafts, abuse of automatic teller machines or  
                 related information regarding a customer.

(5). As used in this section:
(5)(a) “Data storage device” means any device that stores information or data from any electronic or optical medium, including, but not    limited to, computers, cellular telephones, magnetic tape, electronic computer drives and optical computer drives, and the medium               itself.
(5)(b) “Encryption” means the protection of data in electronic or optical form, in storage or in transit, using:
    (5)(b)(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the
                 Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such
                 data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and
      ✓Requirement covered by the Encryption Policy
    (5)(b)(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines
                  promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and
                  Technology.
      ✓Requirement covered by the Encryption Policy
(5)(c) “Facsimile” means an electronic transmission between two dedicated fax machines using Group 3 or Group 4 digital formats that conform to the International Telecommunications Union T.4 or T.38 standards or computer modems that conform to the International Telecommunications Union T.31 or T.32 standards.
      ✓Requirement covered by the Analog Line Policy
The term does not include onward transmission to a third device after protocol conversion, including, but not limited to, any data storage device.
      ✓Requirement covered by the Data Classification and Encryption Policies
(5)(d) “Payment card” has the meaning ascribed to it in NRS 205.602.
(5)(e) “Telecommunication provider” has the meaning ascribed to it in NRS 704.027.

Sec. 3. This act becomes effective on January 1, 2010.

Copyright 2005-2010. All rights reserved.
iSecurityPolicy.com is owned by BlackHat Consultants, LLC. BlackHat Consultants, LLC is Veteran owned.
We are proud to support other small & medium businesses that help make this a great country.