The National Academies Press

Currently Skimming:

Pages 12-15

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 12... ... 12 C State Laws and Transit Agency Policies on Retention of Personal Data Transit agencies are subject to state laws and/or have their own policies regarding the retention of customers' data. Read the entire page →
From page 13... ... 13 bank $5,000 to $100,000 per month for violations.117 The banks in turn may transfer the fine "downstream" for a merchant to pay; however, a bank may also terminate a merchant's relationship or increase its transaction fees.118 There are 12 standards and other requirements with which a merchant must comply when it accepts credit or debit card payments.119 PCI DSS requires particular methods of encryption, prescribes network security technologies and configurations, and demands or forbids certain practices.120 The purposes of the 12 standards are to build and maintain a secure network, protect cardholder data, ensure the maintenance of "vulnerability management programs," implement strong access control measures, monitor and test networks regularly, and ensure the maintenance of information security policies.121 PCI DSS, which prohibits the storing of sensitive authentication data, requires that "anyone handling credit card data must never store -- even if encrypted -- a card's full track data, card verification code, or PIN verification code after [an] authorization has cleared."122 B Read the entire page →
From page 14... ... 14 arguably there may not be a basis for a claim by a customer against the transit agency because the transit agency's contract is not with a member of the public but with a company that has agreed to receive and process transactions.128 Some state statutes refer to or incorporate the PCI DSS and/or apply PCI DSS to any electronic customer data collected by an agency that comes within the statutory definition of a data collector or processor.129 A provision of the Texas Transportation Code that is not a data-breach notification law references the PCI DSS and provides that financial institutions are not criminally liable for accessing electronically readable information from driver's licenses as long as the institutions have accessed the information in a manner that is consistent with PCI DSS Standard 3.4.130 A Washington statute that is a data-breach notification law requires compliance with the PCI DSS. The law releases processors, businesses, and vendors from liability as long as they were certified compliant with the PCI DSS by PCI SSC at the time of a data breach.131 In Washington, a data "processor" is an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity…that directly processes or transmits account information for or on behalf of another person as part of a payment processing service.132 A processor is not liable "if (a) Read the entire page →
From page 15... ... 15 There are statutes that protect cardholder data but do not refer to the PCI DSS.140 A Florida statute states that PII "held by a public transit provider for the purpose of facilitating the prepayment of transit fares or the acquisition of a prepaid transit fare card or similar device is exempt from" Florida Statutes Annotated Section 119.07(1) (applicable to the inspection and copying of public records) Read the entire page →

From page 12...

... 12 C State Laws and Transit Agency Policies on Retention of Personal Data Transit agencies are subject to state laws and/or have their own policies regarding the retention of customers' data.

Read the entire page →

From page 13...

... 13 bank $5,000 to $100,000 per month for violations.117 The banks in turn may transfer the fine "downstream" for a merchant to pay; however, a bank may also terminate a merchant's relationship or increase its transaction fees.118 There are 12 standards and other requirements with which a merchant must comply when it accepts credit or debit card payments.119 PCI DSS requires particular methods of encryption, prescribes network security technologies and configurations, and demands or forbids certain practices.120 The purposes of the 12 standards are to build and maintain a secure network, protect cardholder data, ensure the maintenance of "vulnerability management programs," implement strong access control measures, monitor and test networks regularly, and ensure the maintenance of information security policies.121 PCI DSS, which prohibits the storing of sensitive authentication data, requires that "anyone handling credit card data must never store -- even if encrypted -- a card's full track data, card verification code, or PIN verification code after [an] authorization has cleared."122 B

Read the entire page →

From page 14...

... 14 arguably there may not be a basis for a claim by a customer against the transit agency because the transit agency's contract is not with a member of the public but with a company that has agreed to receive and process transactions.128 Some state statutes refer to or incorporate the PCI DSS and/or apply PCI DSS to any electronic customer data collected by an agency that comes within the statutory definition of a data collector or processor.129 A provision of the Texas Transportation Code that is not a data-breach notification law references the PCI DSS and provides that financial institutions are not criminally liable for accessing electronically readable information from driver's licenses as long as the institutions have accessed the information in a manner that is consistent with PCI DSS Standard 3.4.130 A Washington statute that is a data-breach notification law requires compliance with the PCI DSS. The law releases processors, businesses, and vendors from liability as long as they were certified compliant with the PCI DSS by PCI SSC at the time of a data breach.131 In Washington, a data "processor" is an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity…that directly processes or transmits account information for or on behalf of another person as part of a payment processing service.132 A processor is not liable "if (a)

Read the entire page →

From page 15...

... 15 There are statutes that protect cardholder data but do not refer to the PCI DSS.140 A Florida statute states that PII "held by a public transit provider for the purpose of facilitating the prepayment of transit fares or the acquisition of a prepaid transit fare card or similar device is exempt from" Florida Statutes Annotated Section 119.07(1) (applicable to the inspection and copying of public records)

Read the entire page →

Key Terms

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.