| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the security of certain financial information and |
|
|
liability for certain security breaches. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Subchapter B, Chapter 521, Business & Commerce |
|
|
Code, is amended by adding Section 521.0521 to read as follows: |
|
|
Sec. 521.0521. BUSINESS DUTIES REGARDING CERTAIN PAYMENT |
|
|
INFORMATION. (a) In this section: |
|
|
(1) "Access device" means a card that is issued by a |
|
|
financial institution and that contains a magnetic strip, |
|
|
microprocessor chip, or other means for storing information. The |
|
|
term includes a credit card, debit card, or stored value card. |
|
|
(2) "Breach of system security" has the meaning |
|
|
assigned by Section 521.053. |
|
|
(3) "Card security code" means the three-digit or |
|
|
four-digit value that is printed on an access device or contained in |
|
|
the microprocessor chip or magnetic strip of an access device and is |
|
|
used to validate access device information during the authorization |
|
|
process. |
|
|
(4) "Financial institution" has the meaning assigned |
|
|
by Section 201.101, Finance Code. |
|
|
(5) "Magnetic strip data" means data contained in the |
|
|
magnetic strip of an access device. |
|
|
(6) "Microprocessor chip data" means data contained in |
|
|
the microprocessor chip of an access device. |
|
|
(7) "PIN" means a personal identification code that |
|
|
identifies the cardholder. |
|
|
(8) "PIN verification code data" means data used to |
|
|
verify cardholder identity when a PIN is used in a transaction. |
|
|
(9) "Service provider" means a person or entity that |
|
|
stores, processes, or transmits access device data on behalf of a |
|
|
business. |
|
|
(b) Except as provided by this subsection, a business that |
|
|
accepts an access device in connection with a transaction may not, |
|
|
after authorization, retain the card security code, the PIN |
|
|
verification code data, or the full contents of any track of |
|
|
magnetic strip data. In the case of a PIN debit transaction, a code |
|
|
or data described by this subsection may be retained for not more |
|
|
than 48 hours after authorization. |
|
|
(c) A business is in violation of Subsection (b) if its |
|
|
service provider retains a code or data described by that |
|
|
subsection after authorization except as permitted by that |
|
|
subsection. |
|
|
(d) If there is a breach of system security of a business |
|
|
that has violated this section or a breach of system security of the |
|
|
business's service provider, the business shall reimburse the |
|
|
financial institution that issued any access device affected by the |
|
|
breach for the costs of reasonable actions undertaken by the |
|
|
financial institution as a result of the breach to protect the |
|
|
information of its cardholders or to continue to provide services |
|
|
to cardholders, including any cost incurred in connection with: |
|
|
(1) the cancellation or reissuance of any access |
|
|
device affected by the breach; |
|
|
(2) the closure of any deposit, transaction, share |
|
|
draft, or other account affected by the breach and any action to |
|
|
stop payments or block transactions with respect to the account; |
|
|
(3) the opening or reopening of any deposit, |
|
|
transaction, share draft, or other account affected by the breach; |
|
|
(4) any refund or credit made to a cardholder to cover |
|
|
the cost of any unauthorized transaction relating to the breach; |
|
|
and |
|
|
(5) the notification of cardholders affected by the |
|
|
breach. |
|
|
(e) In addition to reimbursement under Subsection (d), the |
|
|
financial institution is entitled to recover costs for damages paid |
|
|
by the financial institution to cardholders injured by a breach of |
|
|
system security of a business that has violated this section or a |
|
|
breach of system security of the business's service provider. |
|
|
(f) Costs that may be recovered under this section do not |
|
|
include any costs recovered from a credit card company by a |
|
|
financial institution. |
|
|
(g) The remedies provided by this section are cumulative and |
|
|
do not restrict any other right or remedy otherwise available to the |
|
|
financial institution. |
|
|
SECTION 2. (a) Section 521.0521, Business & Commerce Code, |
|
|
as added by this Act, applies to the retention of codes and data |
|
|
arising from transactions authorized before the effective date of |
|
|
this Act as provided by this section. |
|
|
(b) For transactions authorized before the effective date |
|
|
of this Act, a business or its service provider may not retain any |
|
|
codes or data described by Section 521.0521(b), Business & Commerce |
|
|
Code, as added by this Act, other than codes or data arising from a |
|
|
PIN debit transaction that occurred less than 48 hours before the |
|
|
effective date of the Act. |
|
|
(c) Codes and data arising from a PIN debit transaction |
|
|
authorized less than 48 hours before the effective date of this Act |
|
|
may not be retained for more than 48 hours after authorization. |
|
|
SECTION 3. This Act takes effect September 1, 2015. |