Effective January 1, 2010, any merchant accepting credit cards doing business in the state of Nevada must be in compliance with the current PCI standards set forth by the PCI Security Standards Council.
Like most laws, this one raises a question. According to Section 1, Paragraph 1:
If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) …
So if an e-Commerce merchant accepts an Internet transaction from a Nevada resident (or just someone passing through for that matter) is that e-Commerce merchant ‘doing business’ in the state of Nevada? I would say, in the strict application of the language, yes he is. Therefore he has violated Nevada law if he’s not in compliance.
There are some other important points to the law. It extends regulations to non-credit card data as well. SSN, Drivers License and other information are also covered in the new law.
Unfortunately, I don’t see the law as having any real teeth. There are no penalties for violation.
Some interesting commentary on the law can be found here and you can read the law in it’s entirety here.
Similar Posts:
- A bit of good news for PCI compliance – but only in Washington
- Mobile Payment Apps not PCI compliant?
- Card Breach Victim Gets Twenty Years ‘Probation’
- PCI Compliance Flaw
- My customer made me non-compliant
