The Minnesota Plastic Card Security Act (“PCSA”) became effective August 1st, 2007. Designed to offer greater protection to consumers’ personal data, the PCSA is a controversial state law that applies broadly to businesses accepting credit cards in Minnesota.
The PCSA applies to “any person or entity conducting business in Minnesota that accepts an access device [e.g., credit or debit card] in connection with a transaction.” Size of the transacting entity is immaterial. Additionally, the law applies equally to persons and formal business entities accepting credit or debit cards.
What is prohibited activity under PSCA?
The transacting entity must not retain the consumer’s PIN, card security code, or the full contents of any track of magnetic stripe data subsequent to the authorization of the transaction. In the case of a PIN debit transaction, the information may not be kept for more than 48 hours after the transaction has been authorized.
What is the liability?
The breaching person or entity must reimburse the financial institution that issued an access devices (payment cards) affected by the breach for the costs of any reasonable actions undertaken by the financial institution resulting from the breach in order to protect its cardholder’s information or to continue to provide services to cardholders. Examples of such costs include, but are not limited to:
- cancellation or reissuance of any affected access device
- closure of any affected deposit, transaction, share draft, or other accounts, or action to stop payment or block transactions
- any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach
- notification of cardholders affected by the breach
- damages paid by the financial institution to cardholders injured by a breach
If your business accepts credit or debit cards and conducts business in Minnesota, you should carefully review the requirements of the PCSA to determine whether you are compliant.