Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Governator Kills Data Protection Law

ScuttleMonkey posted more than 6 years ago | from the personal-data-not-that-important dept.

Privacy 177

eweekhickins writes "The Governator has killed a recent data protection law in California, and it won't be back. Using a tried-and-true argument, that the bill would have 'driven up the costs of compliance, particularly for small businesses,' California Governor Arnold Schwartzenneger vetoed what some are calling one of the nation's most stringent proposed e-tail data breach security laws."

cancel ×

177 comments

Subscriptions (3, Interesting)

mastershake_phd (1050150) | more than 6 years ago | (#20988889)

But it also outright prohibited much data being stored at all after a purchase is authorized by banning a retailer from storing "sensitive authentication data subsequent to authorization, even if that data is encrypted."
 
What about automatically recurring bills, like web hosting.

Re:Subscriptions (1)

GomezAdams (679726) | more than 6 years ago | (#20989021)

The bill was directed to retailers. Is your ISP a retailer? The article is not all that clear about the target but by 'retailer' it seems this is about the local iHop, No-Tell Hotel, or Victoria's Secret storing your credit card and any address, phone number, SS# info way past the authorization cycle. Having a mortgage, auto payments, and a monthly charge for services (I pay an annual fee for my web hosting) would be normal usage of customer data, but a retailer does not require any bank/credit card info after they receive the money for their product.

Re:Subscriptions (1)

mastershake_phd (1050150) | more than 6 years ago | (#20989127)

The bill was directed to retailers. Is your ISP a retailer?

Well that depends on how the bill defines "retailer".

Re:Subscriptions (2, Funny)

Anonymous Coward | more than 6 years ago | (#20989653)

Well that depends on how the bill defines "retailer".
Here in Texas, we define ISP retailers as copper chomping wallet vampires.

\\//_

Re:Subscriptions (1)

multisync (218450) | more than 6 years ago | (#20989253)

but a retailer does not require any bank/credit card info after they receive the money for their product.


Same goes with brick and mortar stores.

Once the transaction is complete all they need is a receipt with your signature and the Authorization Number on it. But try telling that to your typical wage-slave working in a retail store.

When paying by credit card, I am frequently annoyed to find my complete credit card number printed on the retailer's copy of the receipt, along with my name and the expiry date. When I scratch the number out, the clerk will often argue with me and insist that the full number is needed on their copy.

London Drugs does this - at least in Canada - while at the same time posting large signs in their stores with helpful tips on avoiding identity theft.

Re:Subscriptions (3, Interesting)

Attila Dimedici (1036002) | more than 6 years ago | (#20989459)

It has been a few years (late 90's) since I worked retail. However, I worked for a retailer that for various reasons people forgot that they had purchased things from with their credit card. The customer would get their bill and see a charge from our store on it. They would call the credit card company and contest the charge. The credit card company would send us a letter asking for the signed receipt for charge against Credit card # xxxx xxxx xxxx xxxx (where the x's were the number on the card) from such and such date. If we did not send it to them within a given amount of time, they would issue a credit to the customer and charge us the amount that we had received against that card. SO, at that point a retailer did need a copy of the customer's credit card # for at least two months after the purchase.

Re:Subscriptions (0)

Anonymous Coward | more than 6 years ago | (#20989551)

I'm not sure if this is a NY specific law or a federal law, but as of a few years ago, it is illegal to print the full credit card number on receipts. Last 4 digits, transaction authorization number and card holder's name under the signature line is all of the identifying info on the receipt.

Not really (1)

jeevesbond (1066726) | more than 6 years ago | (#20989657)

SO, at that point a retailer did need a copy of the customer's credit card # for at least two months after the purchase.

That's what PAN print suppression is for. So instead of storing the whole credit card number you just store the first and last few digits, for example:

5454 xxxx xxxx 1234

Then you store the cardholder name and date of the transaction, this is enough evidence for the credit card company to verify the transaction, but not enough for an identity thief to go on a shopping spree. :)

Re:Subscriptions (1)

GlassHeart (579618) | more than 6 years ago | (#20989699)

No, you don't. All you need is a transaction id that the credit card company would issue you when you charged the card. (I have no idea if this id is in place, the point is that you don't actually have to store the sensitive card number.)

Re:Subscriptions (1)

cdrguru (88047) | more than 6 years ago | (#20989737)

Sorry, but every Internet merchant is a "retailer".

Subscriptions aren't the point. This would have required eliminating the model where you trick someone into paying for shipping for something that is otherwise free just so you can continue to bill then month after month for the rest of the collection. Video Professor is one example of this. Not that this would have been all that bad a deal, but it doesn't sound like an intended consequence.

There are also plenty of other service-related "retailers" that do reoccurring billings to credit cards. This would have ended this practice as well.

Re:Subscriptions (1)

Qzukk (229616) | more than 6 years ago | (#20989629)

What about automatically recurring bills, like web hosting.

They would demand that their CC processors issue them an encrypted token after the initial transaction that identifies the pair (company,creditcard) and can only be used for transactions involving that pair?

Re:Subscriptions (1)

einhverfr (238914) | more than 6 years ago | (#20989877)

First, this is nothing new. THe PCI-DSS makes an identical requirement.

Basically, can't store PIN, CVV2, or CVV values. This means that for recurring bills, you can *only* use AVS which isn't so sensitive (basically street number (not name) and zip code.

In an ideal world, this would be done via the authorization code (tied to the merchant account!) rather than the credit card number, but not all processing gateways support this yet.

First example: Slashdot! (2, Funny)

Spy der Mann (805235) | more than 6 years ago | (#20988891)

404 File Not Found
The requested URL (yro/07/10/15/2043242.shtml) was not found.

I guess the above isn't illegal anymore, right Taco? ;-)

Re:First example: Slashdot! (0)

Anonymous Coward | more than 6 years ago | (#20989955)

The Slashdot Funding Bill is passed. The system goes on-line Sept 1997. Human decisions are removed from news for nerds. Slashdot begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, September 29th. In a panic, they try to pull the plug, but too many simultaneous HTTP requests made that impossible for a few hours. A T-800 was sent back to create some mirrors, but fails.

I guess your: (1)

einhverfr (238914) | more than 6 years ago | (#20990003)

connection TERMINATED with error: 404.

"Governator"? Are we in 6th grade here? (4, Insightful)

Tetsujin (103070) | more than 6 years ago | (#20988893)

C'mon, I mean, seriously - whether or not you respect the man he has a name and a title, and you've used neither...

Re:"Governator"? Are we in 6th grade here? (2, Insightful)

Martin Blank (154261) | more than 6 years ago | (#20988923)

Indeed. This was old years ago -- before the recall election was even completed. It doesn't help that even when his name did appear, it was spelled incorrectly ("Schwartzenneger" as opposed to the proper spelling, "Schwarzenegger").

Re:"Governator"? Are we in 6th grade here? (0)

Anonymous Coward | more than 6 years ago | (#20989069)

He must enjoy being called a black n**ger, as a part of some properly constructed sentence. :)

Re:"Governator"? Are we in 6th grade here? (1)

nuzak (959558) | more than 6 years ago | (#20989073)

Yeah, just prepending "California" or even just "CA" might have made it an eensy bit clearer. But hey, slashdot isn't about that pretentious "old media" with all its "accuracy" and "clarity" and "fact checking". Pshaw.

I prefer "Gubenator", which sounds funnier when said with Schwarzenegger's accent, and it's actually the real latin word that "governer" comes from. But I wouldn't put that in a headline either.

It's not just a "recall" ... (4, Funny)

Slur (61510) | more than 6 years ago | (#20989163)

... It's a Total Recall!

Re:"Governator"? Are we in 6th grade here? (0)

Anonymous Coward | more than 6 years ago | (#20988933)

Actually, he used both at the end of the news post. He did however misspell his last name.

Re:"Governator"? Are we in 6th grade here? (0)

Anonymous Coward | more than 6 years ago | (#20990067)

Actually, he used both at the end of the news post. He did however misspell his last name.

Oh was that a mispelling? I thought he changed 'Egger' ('Acker' in Hochdeutsch -- acre, field) to 'Neger' (negro) as a dig. Well you know what Freud would say ...

Re:"Governator"? Are we in 6th grade here? (0)

Anonymous Coward | more than 6 years ago | (#20988935)

Oh, either relax and don't let it bother you, or go piss off. He may have a name and a title, but as everyone knows, a good nickname is much more important.

Signed,

Anonymous Coward.

Re:"Governator"? Are we in 6th grade here? (0, Flamebait)

Anonymous Coward | more than 6 years ago | (#20988947)

Yes, Mr. Shitforbrains.

Re:"Governator"? Are we in 6th grade here? (0, Offtopic)

Ash Vince (602485) | more than 6 years ago | (#20989287)

Personally I think Governator is brilliant.

One another related point, there is no way he would have got elected as an European with his original name if he hadn't been a rich famous movie star. So referring to him in a way that reminds people WHY he was famous in the first point is actually useful in this case.

For those who still have not remembered, he was originally famous for being a body builder who probably has taken more steroids than I have had hot dinners and then starred in loads of vaguely amusing action movies where no acting talent or intelligence was required. He had still barely learned to speak English after living and working here for years, and that was with a small fortune behind him by the end of his Hollywood career.

So no, we are not in 6th Grade, but you would never know it judging be who we elect to make decisions for us sometimes.

(Disclaimer - I cannot remember who he was running against but it would not surprise me if some or all of them were worse.)

Re:"Governator"? Are we in 6th grade here? (2, Informative)

Martin Blank (154261) | more than 6 years ago | (#20989341)

Then-Lt. Gov. Cruz Bustamante was the biggest candidate that he faced, and that was a very, very poor choice.

Schwarzenegger is widely regarded in business circles as savvy and intelligent, and before he made his biggest money in Hollywood, he'd become fairly wealthy in real estate. However, he ran as a moderate Republican and has turned out to be more liberal in many ways than the Democrat that he replaced. At least we get to see most of the bad deals that he makes, as opposed to Davis's multitude of closed-door, secret meetings selling off the state's future.

Re:"Governator"? Are we in 6th grade here? (2, Interesting)

AuMatar (183847) | more than 6 years ago | (#20989437)

Actually, his biggest opponent was Davis. Over 40% of the people voted to NOT recall him. If the courts hadn't made the braindead decision that he couldn't be on the general recall ballot, he probably would have been recalled, then rewon the election.

Must... resist... joke... (1)

Spy der Mann (805235) | more than 6 years ago | (#20989537)

Schwarzenegger is widely regarded in business circles as savvy and intelligent...

Without mentioning that his brain is a Neural Computah.

Re:"Governator"? Are we in 6th grade here? (2, Funny)

Opportunist (166417) | more than 6 years ago | (#20989469)

Hey, don't bash Arnie! Judging from Bush, the way he butchers English he could be President if he was born in the USA.

Re:"Governator"? Are we in 6th grade here? (1)

mikael (484) | more than 6 years ago | (#20990161)

One another related point, there is no way he would have got elected as an European with his original name if he hadn't been a rich famous movie star. So referring to him in a way that reminds people WHY he was famous in the first point is actually useful in this case.

He got elected because, in the economic downturn of the dot com bust, California's budget went from a surplus to a deficit. So everyone blamed Gray Davis and voted for Schwarznegger instead.

No kidding (1)

SuperKendall (25149) | more than 6 years ago | (#20989295)

It doesn't help reasoned debate when people jump right into name calling. No matter who you are talking about... M$ is lame for the same reason.

Moderation of parent? (0)

Anonymous Coward | more than 6 years ago | (#20989457)

Parent called the story synapsis on being childish, prejudicial and improperly edited in its wording. Such matters should always be considered when reading the news as we all know that the source and/or the writer of such news can create or attempt to create desired effects from the target market. Nowhere but in advertising pieces is this more true then in editorials and the submitter here would be the editor with Scuttlemonkey as the approving editor of eweekhickins submission.

Only remaining question was if it was put out as submitted or edited in any fashion, which would also be an appropriate topic of discussion here. Of course it can be argued that the moderators are editors as well, after all the one who moderated the parent offtopic is equivalent to the editor at the paper who hides a story in the generally unread by the majority portions of the paper.

Informative or insightful would have been a more appropriate moderation.

666

Re:"Governator"? Are we in 6th grade here? (1)

pak9rabid (1011935) | more than 6 years ago | (#20989509)

I think he gets more respect as the 'Governator of California' than the 'Governor of California'

Re:"Governator"? Are we in 6th grade here? (1)

speaker of the truth (1112181) | more than 6 years ago | (#20989635)

he used his Governor powers to terminate a privacy bill. Was there ever a time more appropriate to call him the Governator?

Re:"Governator"? Are we in 6th grade here? (0)

Anonymous Coward | more than 6 years ago | (#20989791)

You sound like one of those 6th grade crybabies that everyone hated.

Don't like it? Go read another news site.

Re:"Governator"? Are we in 6th grade here? (1)

AK Marc (707885) | more than 6 years ago | (#20989957)

C'mon, I mean, seriously - whether or not you respect the man he has a name and a title, and you've used neither...

When I hear complaints like this, they inevitably come from Republicans that were fond of saying "Slick Willie" or Democrats that have uttered the words "Tricky Dick." Nicknames are popular in politics. They are popular in use by friends as well as supporters of the other party. If you don't like the divisive nature, you are in the wrong country. Try a place that doesn't have a two-party-only system.

Oh, and it uses both his name (well, a character name) and title together, so it isn't neither, it is both.

Re:"Governator"? Are we in 6th grade here? (0)

Anonymous Coward | more than 6 years ago | (#20990063)

+offtopic and +insightful?

come on mods, where is the +funny that this guy was obviously going for...

nope (0, Offtopic)

BobZee1 (1065450) | more than 6 years ago | (#20988895)

frist postin up in here boooya!!!!!

"Kill" a law? (4, Funny)

Jugalator (259273) | more than 6 years ago | (#20988919)

How do one "kill" a law, really? Bah -- surely, Arnold must have terminated this law.

Re:"Kill" a law? (2, Funny)

mangu (126918) | more than 6 years ago | (#20989089)

Arnold must have terminated this law.


Yes, but he himself said "I encourage the author and the industry to work together on a more balanced legislative approach,"


In other words, the law'll be back...

Re:"Kill" a law? (1)

Opportunist (166417) | more than 6 years ago | (#20989349)

In other words, the law is for sale.

Re:"Kill" a law? (0)

Anonymous Coward | more than 6 years ago | (#20989091)

Of course. Just wait 'till he terminates Skynet...
Remember: Judgement day is inevitable.

In Soviet Russia... (0)

Anonymous Coward | more than 6 years ago | (#20989343)

Laws kill you!

Re:"Kill" a law? (1)

pintpusher (854001) | more than 6 years ago | (#20989801)

Come on, you remember the little guy sitting on the steps, "... yes I'm only a bill..."

well, what happens is some fat dude comes out of the capitol building, grabs that little guys and starts bellowing something about "what's your function!" and then proceeds to rend him to little shreds and then stomps off stage right.

Re:"Kill" a law? (1)

tesmar (1033054) | more than 6 years ago | (#20990175)

He should not have terminated a bill which would help to prevent his http://www.youtube.com/watch?v=mAsLEv9KISE [youtube.com] stolen identity.

Look OUT! (1)

HartDev (1155203) | more than 6 years ago | (#20988921)

Grab my hand! You'll never have this data plan as long as I am around! No joke I think Arnold rocks!

Ah! The ads! (2, Informative)

Anonymous Coward | more than 6 years ago | (#20988927)

Here's the printer friendly version, with (somewhat) fewer advertisements.
http://www.eweek.com/print_article2/0,1217,a=217199,00.asp [eweek.com]
(posted as anon to avoid Karma whoring)

Levels of Compliance? (3, Insightful)

nonsequitor (893813) | more than 6 years ago | (#20988955)

Couldn't they redraft the law such that there are several levels of compliance. If you deal with the info of less than 100 individuals you would have the least amount of requirements to meet, 1000 individuals would put you in the next level, and so on. That way the biggest targets are required to be the most secure, and the more information they deal with, the higher their compliance level would be.

Re:Levels of Compliance? (1)

PhrankW (1077411) | more than 6 years ago | (#20989179)

Never happen Way too sensible. Phrank

Re:Levels of Compliance? (2, Informative)

MtlDty (711230) | more than 6 years ago | (#20989483)

Actually, thats the way it currently does work according to the PCI-DSS. There are four levels of compliancy, and although the compliancy points across all levels are similar, the accreditation is more difficult at the higher levels (requires certification from independant Qualified Security Assessor).

I think most of the EFT industry sees this move by Arnie as the correct thing. The payment card industry 'PCI Co' (mainly Visa and MasterCard) already has mandated merchants must comply with the Data Security Standard. They also have the means to force non-compliance fees on merchants, through their acquiring banks.

In short, there's no need to add layers of government bureaucracy to the mix - it would just cost the tax payer for something that the card industry should be able to manage, and add extra levels of confusion to what is already a difficult landscape of compliancy.

I wonder if the GOv thinks that (1)

einhverfr (238914) | more than 6 years ago | (#20990197)

the issue of compliance goes away.

In fact, the requirements are basically copied from the PCI-DSS 1.1 which Visa/Mastercard require compliance with anyway (and reserve the right to "fine" you for up to half a million dollars for losses of credit card numbers if you fail to comply).

This is at best political posturing and at worst a dangerous illusion for small businesses.

Too much effort to comply is not an excuse (5, Interesting)

ravenspear (756059) | more than 6 years ago | (#20989025)

Seems like a lot of companies out there today do not give the proper effort required to make even rudimentary considerations to the security of client data. This reminds me of an experience I had a few weeks ago. This is 100% true. I was sitting in a subway station waiting for a train. I sat down on a bench and noticed a plain unmarked vanilla envelope sitting on the bench next to me. There was no one else around so it was obvious whoever it belonged to had left it. I opened it and discovered it was several pages of customer records for a hotel chain (don't remember which). It had their names, what nights they had stayed, some additional information, and their FULL credit card numbers they had used to pay printed next to the names. I was amazed that someone would just leave this kind of information lying around anywhere for anyone to find.

What is this "marketplace" that he speaks of? (2, Insightful)

khasim (1285) | more than 6 years ago | (#20989105)

From TFA:

However, the current version of the bill, Schwarzenegger said, "attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.

So ...... prostitution and drugs should not be illegal because the "marketplace" can handle the problems?

What you saw is a perfect example of why LEGAL restrictions are needed. If it is LEGAL for a business to print out such information, then it WILL be stolen, eventually.

With the increase in "identity theft" it should be apparent to anyone that the "marketplace" is not capable of regulating itself.

All a "marketplace" does is ensure that those with the most power KEEP the most power. And right now that is not the credit consumer.

Re:What is this "marketplace" that he speaks of? (1)

Rakishi (759894) | more than 6 years ago | (#20989221)

So ...... prostitution and drugs should not be illegal because the "marketplace" can handle the problems?
Sure, why the hell not. Do you realize how much crime is caused by and public money is wasted on fighting both of those? We could probably provide welfare and free drugs to every single bloody drug user for less than it costs us now to deal with them in jail and in their gangs.

I'm not arguing that. (1)

khasim (1285) | more than 6 years ago | (#20989257)

I'm arguing the lack of logic in claiming that some fictional entity ("the marketplace") can provide protection in one instance ... but not in other instances.

So that certain instances require legal regulation.

But the fictional entity is used to justify the lack of legal regulation in the other instance.

Re:What is this "marketplace" that he speaks of? (1)

Opportunist (166417) | more than 6 years ago | (#20989373)

Money is like energy, you cannot waste or eliminate it. It just gets transformed into something that might not be useful for you.

In other words, don't worry, someone profits from it.

Re:Too much effort to comply is not an excuse (1)

Deadstick (535032) | more than 6 years ago | (#20989193)

plain unmarked vanilla envelope

Must make those in Mexico...

rj

It can be, if you want any small business (5, Insightful)

Sycraft-fu (314770) | more than 6 years ago | (#20989203)

When you deal with small businesses you are dealing with few employees, few resources, and so on. As such what they can do is limited. Now if you don't like small business, fair enough, but then remember that the alternative is large conglomerates like Microsoft.

So if you do want small businesses around, you have to make sure that you don't pass laws that force them out. For example, suppose you decided that in the interests of accessibility and such all businesses should be required to be able to take phone calls in any language that a sizable minority of Americans speak. So it turns out that companies need to support like 20 languages. For a large company, no problem, they grumble about it, hire more operators, raise prices and are done. A small business just shuts down, since they just cannot hire that many staff, even if they wanted to.

Now that's not to say that small businesses need a free pass on everything, but having the attitude of "They need to do this, I don't care how hard it is," is what leads to them going out of business and you having to shop at Walmart and buy MS. Big companies can play the game and deal with the stupid laws. The small ones can be killed by it.

Re:It can be, if you want any small business (2, Interesting)

Opportunist (166417) | more than 6 years ago | (#20989401)

C'mon, be sensible. Keeping customer data reasonably safe is quite easy for small businesses. You have your POS with outsourced security (read: You bought some POS system that handles CC purchases for you). Your accounting needn't be on an internet terminal, that's something you do on a computer which can trivially be disconnected from the internet or anything else that could steal your data.

If anyone, large businesses face problems with increased demands in security.

Re:It can be, if you want any small business (1)

Sycraft-fu (314770) | more than 6 years ago | (#20989513)

Ahh, so what happens if you already own the system, and it doesn't meat the criteria. Just buy it again? What happens if it is then incompatible with your inventory? Just reenter it? Easy to say, less easy to do. I didn't read this bill, not relevant to me (I don't live in California) I am just saying that it is a perfectly legitimate argument against something that the costs are too high for small business.

You have to consider the cost of your actions, and that includes legislatons. I dislike those who seem to hate large corporations, and yet want government regulation to the point that only those large corporations can exist. You have to accept that small businesses are often quite literally "mom and pop". A couple who owns a business and has a few employees. There are limits to what is reasonable to expect.

Re:It can be, if you want any small business (1)

AK Marc (707885) | more than 6 years ago | (#20989871)

What small business stores anything like this? They keep the recipts. They keep nothing else. The only place that takes a stamping of my card is CompUSA, and I don't think they qualify as small. The small businesses outsource everything. Often to the point that they don't even own the credit card terminal they use. They swipe and get a recipt they keep. All the other information is stored by some 3rd party on servers far far away. Unless by "small" business, you mean 100+ employees with servers and IT personnel already laying around, they aren't likely to keep credit card information at all. And if they are 100+ employees, they are big enough to be able to figure out how to do a little encryption.

I think this is a case where the big businesses cried that it was harmful to the small businesses, but nearly all small businesses would have been compliant with few changes (and possibly most compliant with no changes at all).

Re:It can be, if you want any small business (2, Informative)

einhverfr (238914) | more than 6 years ago | (#20990159)

You are missing a very basic fact---

If you have a noncompliant system today, whether or not this law would have been signed, and its problems resulted in the theft of a credit card number, your small business could be fined up to $500,000 by Visa/Mastercard.

That is the cost (right now) of noncompliance. So the solution to your question is-- do your homework, evaluate what you have, and get the right system.

Re:It can be, if you want any small business (1)

CodeBuster (516420) | more than 6 years ago | (#20989673)

This is precisely why I generally do not do business with small businesses or if I do, then I pay in cash. The problem with small business is that they are well, small. They think small, they behave like amateurs (particularly in areas that are not part of their core business), and they usually provide no tangible benefit to a transaction while charging a higher price than larger businesses, especially at retail.

Now having said that, if we are going to increase the regulatory burden then it should be increased first upon the providers of consumer credit who are all large corporations and have been dragging their feet for years on security because in the current legal and regulatory environment because insurance is cheaper. There is no incentive, or very little anyway, for credit card companies to substantially improve security as long as they are not perceived as being substantially worse in that area than their competitors (which are few enough since consumer credit is essentially an oligopoly [wikipedia.org] ). This is compounded by the fact that the general public has such a poor understanding of security that the credit card companies would rather pay lip service to security instead of actually spending money on something that most consumers have no appreciation of.

If the merchant is required to store anything at all then it should merely be a transaction number (not the credit card number) which can be cross checked with the credit card processors in the event of an audit and the amount. The credit card processors will whine about having to store massive amounts of transaction data, but they have been earning massive profits on consumer debt for decades and would be seen as crying with two loaves of bread under their arms...they should be ignored.

Re:It can be, if you want any small business (1)

einhverfr (238914) | more than 6 years ago | (#20990145)

Actually, security is as big an issue for larger businesses. You have legacy systems built when nobody foresaw the sorts of security threats we have today, and a *lot* of data is still stored in them. Some of those systems probably store data no longer allowed by the PCI-DSS.

The goal ought to be to help build awareness of PCI-DSS compliance and help all businesses become compliant.

Agree and disagree (2, Informative)

einhverfr (238914) | more than 6 years ago | (#20990133)

Most of my customers are small businesses which also process credit cards. What you have to remember is the controversial portions of the law are *already* requirements for small businesses which process credit cards. I invite you to read the PCI-DSS 1.1 (and yes, there are a lot of non-compliant small businesses out there).

Now the PCI-DSS does not really have the force of law at the moment, but it might as well. Visa/Mastercard reserves the right to fine merchants up to half a million dollars for violations resulting in theft of sensitive cardholder information. Many smaller fines are levied against businesses who are required to certify their compliance with third parties (these are either larger businesses or those who have had past problems).

This isn't about an attack on smaller businesses. Businesses *should* be doing this already. If they don't they are already risking their continued operations. Hopefully such a law would help build awareness of these sorts of problems and help small businesses actually avoid problems. Yes, compliance is a bear, but already the costs of noncompliance, as levied by Visa/Mastercard are sufficient to drive small businesses out of business.

Re:Too much effort to comply IS an excuse (5, Informative)

Harmonious Botch (921977) | more than 6 years ago | (#20989219)

I own a small business. I spend at least 1/3 to 1/2 of my time doing govt paperwork, or complying with some govt standard which is either 1) an obviously good business practice that does not need to be legislated or 2) irrelevant or 3) stupid or 4) #2 and #3.

These legislators live in a hypothetical world of zero risk. Any problem that they see, they try to legislate out of existence. But they don't have to pay the bills. They don't have to make the decisions of how limited resources are applied to problems.

With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him.

Laws have consequenses. And someday the consequence may be your job.

Re:Too much effort to comply IS an excuse (1)

Harmonious Botch (921977) | more than 6 years ago | (#20989693)

As the subject is regulation, I should add that due to unneeded regulations my business is much less efficient than it could be. It is not nearly as easy to quantify as the losses to taxes, but I estimate it is a job loss for one part-time person.

Re:Too much effort to comply IS an excuse (4, Insightful)

bjourne (1034822) | more than 6 years ago | (#20989725)

With all the taxes that I pay, I could hire another employee. But these well-meaning legislators have effectively fired him before I could ever hire him.
That argument is quite stupid. Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant. Or you don't have a use for a new employee, which means that $value_of_work less than $salary, which means no hire. Tax has nothing to do with that decision. It's a great way to raise sympathy for your cause though (more money). However, no business owner would rather hire someone than pocket the money if the latter is more profitable.

Re:Too much effort to comply IS an excuse (5, Insightful)

Harmonious Botch (921977) | more than 6 years ago | (#20990005)

Your calulations are overly simplistic.

You are assuming that every dollar is of equal value to me. This is not the case. This is an instance of diminishing returns.

As the business earns more money, I can make the decision to either do the work myself or to hire someone to do it. Initially to meet my living expenses, I'll do all the work myself ( yes, there were times when I did 80+ hour weeks ). But, after earning a comfortable living, I am now making the decision: do I want more time or more money. When I hire the new employee, I do less work.

If I had more disposable income, I would buy more time. ( ie: I would hire an additional person )


Furthermore, employees do not exist in a vaccuum. They require places to work. And real estate cannot be allocated piecemeal like ram. One cannot assign a profit-per-person value to an employee and expect to implement it repeatedly. If one could, then every business would be crammed with employees like sardines in a can.

Re:Too much effort to comply IS an excuse (5, Insightful)

khallow (566160) | more than 6 years ago | (#20990043)

Either you have a use for a new employee, which means that you earn more money from his or her work than it costs you in salary. If you do, then the taxes on your business is irrelevant.

I don't see why it's so difficult for you to understand, if you raise the taxes or regulation cost per employee on a business, then it's easy to cross over the threshhold where you no longer earn more from that employee than it costs you in salary and increase in mandated expenses. In addition to direct expenses per employee, you have to train the employee to deal with the new regulations and bureaucracy grows as the employee base grows and as the regulation burden grows. Second, there's the matter of cash flow. The weaker a business's cash flow the harder it is for them to expand their business. Regulations like this consume cash flow. The business has to spend to stay in compliance.

Not in this case (1)

einhverfr (238914) | more than 6 years ago | (#20990241)

If you accept credit cards, you already have to comply. Look up the PCI-DSS, and note that Visa/MC already require everything that was in this bill. Note too that Visa/MC already reserve the right to "fine" you for noncompliance (if you have a merchant account) up to $500,000.00 USD.

Yet most small businesses have *no* idea what is required of them. This passage of the law would have helped businesses avoid problems which could put them out of business.

Please note that my business is fairly small and most of my customers are small to midsize buinesses. I sympathize with the concern over too much regulation but this particular case is something which would not have added practical regulatory issues and would have helped publicize what credit card merchants are required to do anyway.

Re:Too much effort to comply is not an excuse (2, Funny)

ozphx (1061292) | more than 6 years ago | (#20989415)

This reminds me of an experience I had a few weeks ago. This is 100% true. I work for a government agency doing sting operations against identity theives. We leave a plain vanilla envelope on a bench of a subway station containing fake customer records. If anyone opens the envelope then we give them a few days to report it.

I'm amazed that it usually ends up in the phase where I roll down there with uniform and stick a nightstick up the suspects ass. They never see it coming!

Re:Too much effort to comply is not an excuse (1)

ravenspear (756059) | more than 6 years ago | (#20989523)

haha ok but, you're forgetting the third and most likely option. They don't report it but they also are not identity thieves. I just shredded it and threw it away.

Re:Too much effort to comply is not an excuse (0)

Anonymous Coward | more than 6 years ago | (#20989535)

Are you fucking serious?!?!?!?!

If that happens again (1)

einhverfr (238914) | more than 6 years ago | (#20990057)

I would check out who you contact at Visa/Mastercard. This is a pretty serious violation of security reqirements, and the hotel chain could be fined substantially for the lapse in security. Note that if you have the full credit card number and the customer's address, you can basically get AVS-type queries to pass. I would suggest helping ensure that it gets turned in to Visa/Mastercard.

I am not quite sure what the fine is for something like this, but the maximum (when credit card numbers are actually stolen) is about half a million dollars per incident.

"It won't be back"? (4, Informative)

whoever57 (658626) | more than 6 years ago | (#20989039)

Perhaps the submittor or editor could refrain from lame jokes when said joke is in conflict with the article:

Schwarzenegger, in his veto message explaining why he killed the bill, left the door open to possibly signing a reworked version of the bill.

Re:"It won't be back"? (1)

johndiii (229824) | more than 6 years ago | (#20989215)

Not only that, but it passed both houses with a majority well in excess of that required to override the veto.

obligatory charlie brown (0)

Anonymous Coward | more than 6 years ago | (#20989075)

There are three things I have learned never to discuss with people: religion, politics, and the Great Pumpkin.

PCI Compliance (1)

jeramybsmith (608791) | more than 6 years ago | (#20989273)

Because of PCI compliance you have Linux/Unix admins across the country installing useless virus scanners that scan for windows viruses on their Linux/Unix machines. PCI compliance is a private initiative by the credit card companies.

I would hate to see the retardation government compliance laws in 50 different states would result in.

This is Old News (0)

Anonymous Coward | more than 6 years ago | (#20989275)

Haven't you people learned by now that nothing, NOTHING, must stand in the way of Business making money? What are you on, some kind of Jimmy Stewart trip?

data protection laws not always good (1)

wikinerd (809585) | more than 6 years ago | (#20989277)

I, as an individual, prefer to be responsible for protecting my own data, rather than having a government nanny creating huge bureaucracies with great costs and making everyone's life difficult and not necessarily more secure. I really do not know much about this particular law, or whether its change was motivated by some multinational (in which case it's bad) or true concern for the costs to small businesses (which is a valid concern), but speaking generally I distrust data protection laws, as they can be used by governments for purposes other than protecting people's data. Yes, some laws are needed, but not too many. (IANAL)

Re:data protection laws not always good (2, Insightful)

Opportunist (166417) | more than 6 years ago | (#20989427)

All great, but then please at least install some kind of punishment if someone who has to handle my data is careless with it.

Companies don't care about customer data security. So they won't lift a finger to secure it unless there's some "incentive" to do it.

Re:data protection laws not always good (1)

wikinerd (809585) | more than 6 years ago | (#20990181)

I would very much prefer an NGO or citizen organisation funded by donations to create data protection standards and then choose to shop only from companies bearing the NGO's approval logo. Perhaps the only law that's needed is that every citizen has a right to privacy and their data, and before a transaction customer and company must agree to a contract or policy that defines what is going to happen to the personal data involved. If the company does something against the contract then the customer is entitled to various remedies... that's all, so simple. A simple law defining the general spirit of privacy that society has to provide to its members, another simple law defining the general spirit of privacy policies, and one or more independent NGOs (or even just a wiki where citizens can post their stories) to help customers choose the companies that actually care about privacy. It is, of course, true that even NGOs can be eroded by corporate interests or lose their focus to their mission, but I still see no reason to have a great deal of government data protection laws and red tape.

Re:data protection laws not always good (0)

Anonymous Coward | more than 6 years ago | (#20989637)

Oh really? Does that mean you don't have a credit card, car loan, home mortgage, student loan, cell phone, social security number, or any other connection to the world other than your slashdot account? If you said "no" to any of the aforementioned, good luck protecting it yourself. If you said "yes" to all, more power to you and thanks for not passing on your genetic material.

Re:data protection laws not always good (2, Insightful)

CodeBuster (516420) | more than 6 years ago | (#20989753)

I, as an individual, prefer to be responsible for protecting my own data

Which you cannot do because you do not have control over what information third parties collect and store except for that provided by the government through laws and regulation. There are plenty of large data brokers (remember ChoicePoint?) who collect tons of information about everyone (everything that they can get their hands on) and then sell it to practically anyone with the ability to pay. If you pop up on the grid even once with these guys then they have you pegged for the rest of your life. It is practically impossible to avoid the information brokers without living under a rock and paying for everything in cash.

Re:data protection laws not always good (1)

wikinerd (809585) | more than 6 years ago | (#20990239)

The big multinationals can bypass the laws. So, in reality, the only thing these laws do is to make the life difficult for the small guys and make it easier for the government to spy on everyone. Why not have an NGO or citizen organisation supported by our donations instead of government bureucracies and red tape? A law defining the general spirit of privacy and privacy policies and making it easy for people to get entitled to remedies in case of privacy breaches would be enough.

Good political move (1, Insightful)

Qwavel (733416) | more than 6 years ago | (#20989365)

I can imagine that in the state of CA there must be a ton of internet businesses just dying to sell user data. And a lot of those companies will be directing some of their new revenue to the governor that made it all possible. If he can put an 'anti red tape and government bureaucracy' face on it, all the better.

Kills Data Protection Law? (1)

nurb432 (527695) | more than 6 years ago | (#20989419)

Wouldn't that be 'terminates data protection law' ?

The Goven-ator is foolish. (2, Insightful)

Neanderthal Ninny (1153369) | more than 6 years ago | (#20989431)

We need to have some level of protection when we give our information away. I seen all of the bad example out there even for the big companies like TJX. But for the small and medium size business they don't have the resources, or at least want to release these resources, to protect this data in this manner. I understand this from both side and the legislature should create a bill that has this protections for the consumers but for the small to medium sized business which can prove that they cannot afford such a system that they some for of tax break or something so they can get the system to protect us in California and hopefully this will spread to to the rest of the country.

PCI Standards (2, Insightful)

azrider (918631) | more than 6 years ago | (#20989453)

The Payment Card Industry standards are, at this point, simply a recommendation. Having built systems which process credit cards, I found that the change to comply with PCI (and prevent ID/Card theft) is one line. In one system, the full card number is in the system (encrypted) only from the time it is entered to the time approval/disapproval is returned.
In fact, the card number is no longer needed to process a credit after the fact. The only information required is the merchant ID, the transaction ID and the approval code.
That said, the only way that merchants are dunned is in response to an audit (very rare) or a breach (unfortunately less rare).
The PCI standards allow for storing the card number as the last four (with X's filling the previous part), 4 X's and the last four or the last four alone.
If your merchant gives you a receipt (and their copy shows also) any thing other than XXXXXXXXXXXX1234 (shorten for some incarnations of Visa and AMEX), XXXX1234 or 1234 complain loudly to the manager of the establishment as well as your card issuer. Reference the Payment Card Industry/Data Security Standard 1.1 (2005).

Re:PCI Standards (1)

MtlDty (711230) | more than 6 years ago | (#20989593)

There are some mistruths in this otherwise quite informative post.

Firstly, most of the acquiring banks actually request that the merchants keep card number data for *at least* 6 months after the original transaction. This is to allow the cardholder time to make a chargeback, and for the acquiring bank to make enquiries with the merchant about the transaction. Some acquirers have much longer data retention periods.

So the full card number is required for
a) initial authorization request, typically taken when the cardholder places the order,
b) reauthorisation prior to dispatch (typically required when the order has taken more than a week or so to process - if the card is not re-authed the merchant may face chargeback. This varies between card issuers and acquirers.)
c) Settlement, ie when the merchant actually banks the money. For this the merchant sends an end of day settlement file containing card number and authorization details.
d) Then, as mentioned most acquirers request the details are kept for at least six months to allow for Request For Information queries about the transaction.

Final point is that PCI allows for card numbers to be stored in first six, last four format - but for receipts you're quite right in that it must be only the last four digits (at most) printed.

Re:PCI Standards (1)

PFAK (524350) | more than 6 years ago | (#20989805)

Should it only show the last four digits for merchant, customer copy, or both?

Are the same standards upheld in Canada for MasterCard/Visa?

Re:PCI Standards (2, Informative)

azrider (918631) | more than 6 years ago | (#20989865)

Firstly, most of the acquiring banks actually request that the merchants keep card number data for *at least* 6 months after the original transaction. This is to allow the cardholder time to make a chargeback, and for the acquiring bank to make enquiries with the merchant about the transaction. Some acquirers have much longer data retention periods.
See the above referenced standard https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm [pcisecuritystandards.org] . The only required information is merchant ID, merchant transaction number, authorization transaction ID, authorization number and amount.

So the full card number is required for a) initial authorization request, typically taken when the cardholder places the order,
Yes

b) reauthorisation prior to dispatch (typically required when the order has taken more than a week or so to process - if the card is not re-authed the merchant may face chargeback. This varies between card issuers and acquirers.)
No

c) Settlement, ie when the merchant actually banks the money. For this the merchant sends an end of day settlement file containing card number and authorization details.
No

d) Then, as mentioned most acquirers request the details are kept for at least six months to allow for Request For Information queries about the transaction.
The acquirer (if you are referencing the agent who actually provides the authorization) may request but may not require the information to be kept, since all necessary information is provided by the data that I stated
Again, look at the standard before you post a critique.

come again? (0)

Anonymous Coward | more than 6 years ago | (#20989539)

e-tail? Isn't that what you get when you marry a robot?

Interesting (1)

cdrguru (88047) | more than 6 years ago | (#20989543)

There are many businesses that accept credit cards via third parties. The real "merchant" is this third party but all of the personal information (except for credit card number) is transmitted to the vendor/author/publisher/etc.

Amazon has a service for this, for example. Your personal information is being sold (in a manner of speaking) or at least transferred from the merchant to this vendor that is really selling you the goods. Wouldn't this violate many of the recent laws? I would certainly think it would.

I would imagine that such services are now possibly illegal to use in Canada. Maybe other places as well. Who knows?

Re:Interesting (1)

CodeBuster (516420) | more than 6 years ago | (#20989793)

Wouldn't this violate many of the recent laws? I would certainly think it would.

Probably not with large companies like Amazon since they have the resources to meet the regulatory burdens. Amazon is in fact becoming a payment processing service in its own right (for markets where it choses not to be directly involved), whereby small businesses receive payments from Amazon, not directly from the consumer, and are told by Amazon where to ship the goods. In fact this is preferable for the consumer because it is better to have the payment information in one place that is well guarded rather than spreading it out piecemeal among small businesses who are mostly security novices. The Paypal service is an implementation of the exact same idea. These services exist for a reason and most Internet commerce wouldn't take place without them.

Schwartzenneger vs Schwarzenegger vs Governator (1)

atari2600 (545988) | more than 6 years ago | (#20989845)

Editors? Where art thou?

Spelt his name wrong, of course. (3, Informative)

Paperweight (865007) | more than 6 years ago | (#20989941)

Sorry, I browsed for another post to mod-up but nobody made the point that Schwarzenegger was spelt wrong.

Other names for bill (2, Insightful)

tjstork (137384) | more than 6 years ago | (#20990035)

The "Don't host anything in California Act"
The "Not Available Online to California Residents Act"

and more...

Sorry, but in world of nearly a billion people online, California's market of 40 million isn't as much worth the pain in the ass they keep regulating it to be.

It was inevitable (1)

PPH (736903) | more than 6 years ago | (#20990037)

Now SkyNet can locate the correct Sarah Conner.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...