Your resource
for regulatory
compliance news
and information.

Communicating with our staff is
simple! Don't
hesitate to
contact us with
your questions
and suggestions.

Many files on this site are available in Portable Document Format (PDF) and require Acrobat Reader to view them. Download
the latest version for free from Adobe's site.

Two States Pass Strict PCI Compliance Laws 

Nevada and Massachusetts have passed laws that deal strictly with Payment Card Industry (PCI) compliance. The laws focus on protecting personal information of consumers while it is “at rest” as well as when it is transmitted.

Nevada
Nevada Senate Bill 227, Nevada Data Security and Privacy Law, was effective January 1, 2010. It is called a groundbreaking law because it is the first state to require compliance with PCI-DSS (Data Security Standard) in its entirety. It remains to be seen whether this law will create a nationwide response similar to what happened after California enacted the first information security breach notification statute.

To understand any law, it is important to understand the definitions. In this law, the following are essential to comprehension:

Data Collector – includes corporations and financial institutions that (whether by automated collection or otherwise) handle, collect, disseminate or otherwise deal with nonpublic personal information.

Data Storage Device – means any device that stores information or data from any electronic or optical medium, including, but not limited to, computers, cellular telephones, magnetic tape, electronic computer drives and optical computer drives, and the medium itself.

Personal Information – Includes:

·    Social Security number (SSN) (excluding truncated ones with only the last 4 digits);

·    Drivers license (DL) or identification card (ID) number; or

·    Account number, credit card or debit card number, in combination with any required code that permits access to an account.

Requirements of the Law
If accepting payments via payment card, the data collector must comply with PCI-DSS in its entirety.

If not accepting payments via a payment card, the data collector must use encryption to transmit consumer’s personal information electronically beyond its secure environment or if a data storage device is moved beyond the logical or physical controls of the collector or its data storage contractor.

This law applies to a company’s operation anywhere in the U.S. if the company does business in Nevada. It applies regardless of whether the personal information involved is related to Nevada residents or residents of other states.

The requirements do not apply to:

·    A telecommunications provider acting solely in the role of conveying the communications of other persons; or

·     Data transmission over a secure, private communication channel for specified reasons.

In The News 
Brief summaries on  items of note. 

Article Update Read the article online or link to its PDF file. Shows the current articles and articles from the previous three updates. 


OFAC Update 
The latest updates from OFAC:

12/15/09, 12/3/09, 11/24/09, 11/10/09, 11/5/09, 11/3/09, 10/30/09

Industry Events - ABA
Industry Events - BAI
Industry Events  - CUNA
Industry Events - NACHA
Industry Events  - NAFCU
Schools, seminars, and conferences by Association. 



Compliance Q&A:
OFAC -- ACH Transactions and Screening 

Quick Reference Materials useful in your day-to-day tasks.

Compliance Tools
Key information summarized for
instant reference.

Job Resources In-depth materials and job aids providing on-the-job guidance. 

Useful Sites
Good sites for compliance research and reference.

  Ask a CRCM*

Find the answer to your compliance questions in our
Q&A Database.

Past Issues

Article Index

*See the Disclaimer page for information about a CRCM.