Olson consumer credit card protection bill is advancing

A bill geared to protect consumers from credit card fraud by making retailers more responsible for data they improperly keep is headed to the Minnesota Senate floor.

A bill geared to protect consumers from credit card fraud by making retailers more responsible for data they improperly keep is headed to the Minnesota Senate floor.

The bill, authored by Sen. Mary Olson, DFL-Bemidji, was approved Thursday night by the Senate Judiciary Committee with one "friendly" amendment. The real work, however, came Tuesday in the Senate Commerce and Consumer Protection Committee, which recommended the bill to pass after amendments were made to make it less onerous to small retailers.

"I'm very happy; in fact, I have more now in terms of what I originally would have liked before we started," Olson said Thursday night.

The legislation prohibits companies or retailers from keeping the secure information stored on a credit- or debit-card's magnetic strip in their computer databases after a transaction is completed. The magnetic strips on payment cards contain sensitive information such as the customer's name, account number, PIN, card expiration date and security code data.

"Credit card fraud can be devastating to consumers," said Olson. "It often takes months or years to completely resolve fraudulent charges, and to re-establish one's credit. Companies and merchants should not be allowed keep this information where it can fall into the wrong hands."


Currently, payment card industry standards prohibit companies from retaining magnetic strip information. Olson's bill would put the industry standards into Minnesota law, allowing the state to impose penalties on companies that are not securely purging their customers' private information from their computer systems.

But opponents to the bill feared it would put onerous regulations onto small retailers who most likely don't even know they are keeping such data in their computers, or how to delete it safely and without high expense.

"This will really have an adverse affect on small retailers," Sen. Debbie Johnson, R-Ham Lake, said at Tuesday's Senate commerce hearing. "Retailers don't know how to take this out of their computer systems."

Retailers are already under contracts with major credit card issuers, such as Visa and Master Charge, which prohibit keeping such data, testified Buzz Anderson, president of the Minnesota Retailers Association. In many cases, such agreements are as thick as the St. Paul phone book, he said.

"The contracts are so complicated, many can't understand it," he said. "Yet, the retailer must accept debit/credit cards to do business."

As the issuers are now requiring that such personal information data not be kept, the bill is unnecessary, he argued. And the credit card companies are constantly auditing.

But Olson argued that some companies make loose use of that data, such as for marketing targeting and determining credit worthiness. "They are not handling information in a responsible way. They will bear that financial responsibility."

Currently, responsibility for the consequences of fraud due to a security breach of information lies with the card issuer, she said, which includes small banks and credit unions. Her bill places retailers on the line for responsibility, also.


She cited the recent security breach at TJX, the parent company of T.J. Maxx, Marshall's, and several other retailers, as one of the primary reasons for bringing the bill forward. Investigators estimate that hackers gained access to private information from an estimated 45 million credit- and debit-cards in the breach, which TJX had stored in their computer system.

Florida investigators have charged six people in connection with the breach, claiming they used the stolen credit card information to make more than $8 million in fraudulent purchases.

"The TJX scandal confirms the need for this legislation," said Olson. "Consumers trust companies to protect their financial information. The state should take an active role in ensuring that companies take that trust seriously."

"Card fraud and mounting credit card losses have become an increasingly large problem for the members of my credit union and for all consumers in Minnesota and consumers all across the country who carry credit and debit cards," testified Bill Raker, president and CEO of US Federal Credit Union in Burnsville.

The T.J. Maxx incident alone affected 4,500 cards at his credit union, costing $22,500 to fix.

The problem, Raker said, also affects consumers directly as companies freeze accounts when a breach is discovered, leaving high and dry people on vacation or those seeking to purchase items at an immediate discount, such as airline tickets.

When retailers keeping data are subject to hackers, it is "the institutions that suffer the loss of members' trust," Raker said.

Johnson argued that small retailers would have a difficult time securing insurance for such a breach of data, but Olson said that insurance can be agreed to anytime a risk is perceived and a contract made between an insurer and the insured.


In answer to small retailers, Olson forged an amendment which would:

E Allow retailers to delete the data "at the completion of the transaction." Anderson argued that the data is needed for 24 to 48 hours, so that the card company has cleared the purchase.

E Prevent double-charging, so a retailer doesn't face both a penalty as prescribed under the bill for security breach of data as well as a defined fee or penalty under the credit card agreements they have with issuers.

E Realizing that small retailers would have a more difficult time with the technology to delete the information, the bill would exclude the smallest class of retailers as defined by four levels of retailers under Visa/Master Card contracts.

"I'm not 100 percent happy with that," Olson said of the last provision, "but reasonably satisfied."

The bill specifies that a company or retailer violating security breach is responsible for both notifying their customers and covering the expenses of potential fraud if their customer's information is compromised.

Currently, the responsibility for notification and fraud repayment typically falls on the financial institution backing the credit card. The responsibility will only be shifted to retailers if they are found to have improperly stored credit card information, Olson said.

The Judiciary Committee agreed to an amendment by Sen. Linda Higgins, DFL-Minneapolis, which includes the cardholder or consumer as having their own separate right of action for damages.

"I considered that a friendly amendment," Olson said. "The consumer would be able to take action under the circumstances addressed in the bill."

If a consumer is harmed by a security breach because a retailer has improperly maintained information, "then the consumer would also have a right to some recourse," Olson said, such as expenses to clear credit history.

A companion bill authored by Rep. Jim Davnie, DFL-Minneapolis, which is awaiting a House floor vote doesn't contain that provision, so a conference committee will be needed, Olson said.

With card issuers now holding most of the liability for fraudulent charges or the expense of notifying cardholders of a security breach, Olson said her bill, "in cases where the information was compromised because the retailer improperly retained the financial information, then the burden will shift to the retailer to incur those charges."

What To Read Next
Mike Clemens, a farmer from Wimbledon, North Dakota, was literally (and figuratively) “blown away,” when his equipment shed collapsed under a snow load.
Wanda Patsche, new Farm Camp director, has farmed with her husband near I-90 in southern Minnesota since the 1970s and shares her passion for farming on her blog.
The University of Minnesota has been researching the effects of dough fermentation and wheat variety in creating bread that is easier to digest.