It’s in the cards

California once led the nation in combating identity theft, requiring businesses to notify customers when credit card or other personal data may have ended up in the wrong hands. But then this state’s leadership in that arena came to a halt, and we watched from the sidelines as others, such as Minnesota, put in place common-sense procedures to minimize the damage caused by security breaches.

For the second year straight, lawmakers here have attempted to put California back on track with a measure to prevent companies from storing credit or debit card data after a transaction is completed. That way, even if a system is hacked, there will be no personal customer information for identity thieves to steal.

Businesses argue that the payment card industry already has established security standards, and that’s the reason Gov. Arnold Schwarzenegger gave for vetoing the data-breach bill last year. The problem is that many companies that accept credit and debit cards don’t bother complying with the voluntary standards and are only too happy to avoid the costs of doing so. California consumers remain vulnerable to hackers, even if their crimes do not reach the scale of the 2005 TJ Maxx/Marshalls breach, which compromised the data of more than 45 million customers.

Assembly Bill 1656, by Dave Jones (D-Sacramento), takes some of the sting out of last year’s bill by deleting the mandate that merchants whose records were hacked pay for replacing the consumer’s plastic card. But it keeps intact the prohibition against a business storing sensitive authentication and verification data, such as a customer’s password or PIN. Payment-related data could not be transmitted over a public network, such as the Internet, unless it is encrypted; businesses would not be permitted to allow employees access to it if their job doesn’t require it; and information would have to be deleted after it is no longer needed, under protocols to be adopted by the businesses.

Naturally, many merchants still oppose a bill that would require them, for the first time in California, to take financial responsibility for securing consumer information. But those little cards with the numbers on one side and the magnetic strip on the other have been a big boon to business, and it is appropriate that business does its part to safeguard consumers who choose plastic over paper. This time, Schwarzenegger should sign the bill.