NRF proposes the innovative solution of requiring merchants to store just 'authorization code' and 'truncated receipt'. This is the kind of creative thinking the industry needs. However, this solution might be illegal under California's pending Assembly Bill 779. The words of AB 779 are unclear and poorly defined. For example, AB 779 would forbid a merchant from storing various data elements such as 'payment verification code' and 'payment verification value'. The legislation does not define these terms, and my research finds no clear industry definitions for these terms. (Part of the issue is that different industry players use different words. Further, neither PCI version 1.1 nor its Glossary defines 'payment verification code' or 'payment verification value'.) Therefore, AB 779, if it becomes law, would cause confusion and roadblocks as the industry changes and technology evolves. Parties would not know whether the good data elements they want to store will later in court be interpreted as the data elements AB 779 bans from storage. See detailed analysis at http://hack-igations.blogspot.com --Benjamin Wright, Dallas, Texas

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11491/34865#34865