Reprinted

February 18, 2009





SENATE BILL No. 60

_____


DIGEST OF SB 60 (Updated February 17, 2009 3:00 pm - DI 110)



Citations Affected: IC 24-4.

Synopsis: Prohibit retention of certain access device data. Prohibits a person that accepts an access device card, such as a credit card, debit card, or stored value card, in connection with a transaction, from retaining the card security code, the PIN verification code number, or the full contents of the information contained in the magnetic stripe or microprocessor chip of the access device: (1) after authorization of the transaction if the transaction is not a PIN debit transaction; or (2) more than 48 hours after authorization of the transaction if the transaction is a PIN debit transaction. Requires a person that violates the prohibition to reimburse a state or federally chartered or federally insured financial institution for the costs associated with a breach of the security of a system of the person.

Effective: July 1, 2009.





Walker , Stutzman




    January 7, 2009, read first time and referred to Committee on Insurance and Financial Institutions.
    February 9, 2009, amended, reported favorably _ Do Pass.
    February 17, 2009, read second time, amended, ordered engrossed.





Reprinted

February 18, 2009

First Regular Session 116th General Assembly (2009)


PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana Constitution) is being amended, the text of the existing provision will appear in this style type, additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional provision adopted), the text of the new provision will appear in this style type. Also, the word NEW will appear in that style type in the introductory clause of each SECTION that adds a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts between statutes enacted by the 2008 Regular Session of the General Assembly.

SENATE BILL No. 60



    A BILL FOR AN ACT to amend the Indiana Code concerning trade regulation.

Be it enacted by the General Assembly of the State of Indiana:

SOURCE: IC 24-4-17; (09)SB0060.2.1. -->     SECTION 1. IC 24-4-17 IS ADDED TO THE INDIANA CODE AS A NEW CHAPTER TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2009]:
     Chapter 17. Access Devices; Breach of Security
    Sec. 1. (a) As used in this chapter, "access device" means a card issued by a financial institution that contains:
        (1) a magnetic stripe;
        (2) a microprocessor chip; or
        (3) other means for storing information.
    (b) The term includes a credit card, debit card, or stored value card.
    Sec. 2. As used in this chapter, "breach of the security of a system" has the meaning set forth in IC 24-4.9-2-2.
    Sec. 3. As used in this chapter, "card security code" means the three (3) or four (4) digit code used to validate information stored on an access device during the authorization process that is:
        (1) printed on an access device; or
        (2) contained in one (1) or more of the following of an access device:
            (A) A microprocessor chip.
            (B) A magnetic stripe.
            (C) Any other means used to store information.
    Sec. 4. As used in this chapter, "state or federally chartered or federally insured financial institution" has the meaning set forth in IC 35-43-5-8(b).
    Sec. 5. (a) As used in this chapter, "person" has the meaning set forth in IC 24-4.9-2-9.
    (b) The term does not include the following:
        (1) A business entity to which the consumer has granted authorization for the retention of credit card information for processing recurring payments.
        (2) A financial institution (as defined in IC 4-4-28-3) or an agent of a financial institution that retains credit card information in the regular business of providing credit card services to consumers.
    Sec. 6. As used in this chapter, "PIN" means a personal identification code that identifies the cardholder.
    Sec. 7. As used in this chapter, "PIN verification code number" means the data used to verify a cardholder's identity when a PIN is used in a transaction.
    Sec. 8. A person that accepts an access device in connection with a transaction may not retain the card security code, the PIN verification code number, or the full contents of the information contained in the magnetic stripe or microprocessor chip of the access device:
        (1) after authorization of the transaction if the transaction is not a PIN debit transaction; or
        (2) more than forty-eight (48) hours after authorization of the transaction if the transaction is a PIN debit transaction.
    Sec. 9. (a) As used in this section, "costs" include the cost of:
        (1) canceling or reissuing an access device;
        (2) closing a deposit, transaction, share draft, or other account and an action to stop payment or block transaction with respect to the account;
        (3) opening or reopening a deposit, transaction, share draft, or other account;
        (4) refunding or crediting a cardholder to cover the cost of an unauthorized transaction;
        (5) notifying a cardholder; and
        (6) damages paid to a cardholder injured by a breach of the security of a system.
The term does not include any costs that a state or federally chartered or federally insured financial institution recovers from a credit card vendor.

     (b) If there is a breach of the security of a system of a person that violated section 8 of this chapter, the person shall reimburse a state or federally chartered or federally insured financial institution that issued an access device that is affected by the breach of the security of a system for the costs of reasonable actions undertaken by the state or federally chartered or federally insured financial institution as a result of the breach of the security of a system to protect the information of a cardholder or to continue to provide services to a cardholder.
     (c) This section does not restrict any other right or remedy otherwise available to a state or federally chartered or federally insured financial institution.