Bill Text: TX HB4020 | 2015-2016 | 84th Legislature | Introduced
Bill Title: Relating to the security of certain financial information and liability for certain security breaches.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2015-04-21 - Withdrawn from schedule [HB4020 Detail]
Download: Texas-2015-HB4020-Introduced.html
84R11229 AJA-F | ||
By: Raymond | H.B. No. 4020 |
|
||
|
||
relating to the security of certain financial information and | ||
liability for certain security breaches. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Subchapter B, Chapter 521, Business & Commerce | ||
Code, is amended by adding Section 521.0521 to read as follows: | ||
Sec. 521.0521. BUSINESS DUTIES REGARDING CERTAIN PAYMENT | ||
INFORMATION. (a) In this section: | ||
(1) "Access device" means a card that is issued by a | ||
financial institution and that contains a magnetic strip, | ||
microprocessor chip, or other means for storing information. The | ||
term includes a credit card, debit card, or stored value card. | ||
(2) "Breach of system security" has the meaning | ||
assigned by Section 521.053. | ||
(3) "Card security code" means the three-digit or | ||
four-digit value that is printed on an access device or contained in | ||
the microprocessor chip or magnetic strip of an access device and is | ||
used to validate access device information during the authorization | ||
process. | ||
(4) "Financial institution" has the meaning assigned | ||
by Section 201.101, Finance Code. | ||
(5) "Magnetic strip data" means data contained in the | ||
magnetic strip of an access device. | ||
(6) "Microprocessor chip data" means data contained in | ||
the microprocessor chip of an access device. | ||
(7) "PIN" means a personal identification code that | ||
identifies the cardholder. | ||
(8) "PIN verification code data" means data used to | ||
verify cardholder identity when a PIN is used in a transaction. | ||
(9) "Service provider" means a person or entity that | ||
stores, processes, or transmits access device data on behalf of a | ||
business. | ||
(b) Except as provided by this subsection, a business that | ||
accepts an access device in connection with a transaction may not, | ||
after authorization, retain the card security code, the PIN | ||
verification code data, or the full contents of any track of | ||
magnetic strip data. In the case of a PIN debit transaction, a code | ||
or data described by this subsection may be retained for not more | ||
than 48 hours after authorization. | ||
(c) A business is in violation of Subsection (b) if its | ||
service provider retains a code or data described by that | ||
subsection after authorization except as permitted by that | ||
subsection. | ||
(d) If there is a breach of system security of a business | ||
that has violated this section or a breach of system security of the | ||
business's service provider, the business shall reimburse the | ||
financial institution that issued any access device affected by the | ||
breach for the costs of reasonable actions undertaken by the | ||
financial institution as a result of the breach to protect the | ||
information of its cardholders or to continue to provide services | ||
to cardholders, including any cost incurred in connection with: | ||
(1) the cancellation or reissuance of any access | ||
device affected by the breach; | ||
(2) the closure of any deposit, transaction, share | ||
draft, or other account affected by the breach and any action to | ||
stop payments or block transactions with respect to the account; | ||
(3) the opening or reopening of any deposit, | ||
transaction, share draft, or other account affected by the breach; | ||
(4) any refund or credit made to a cardholder to cover | ||
the cost of any unauthorized transaction relating to the breach; | ||
and | ||
(5) the notification of cardholders affected by the | ||
breach. | ||
(e) In addition to reimbursement under Subsection (d), the | ||
financial institution is entitled to recover costs for damages paid | ||
by the financial institution to cardholders injured by a breach of | ||
system security of a business that has violated this section or a | ||
breach of system security of the business's service provider. | ||
(f) Costs that may be recovered under this section do not | ||
include any costs recovered from a credit card company by a | ||
financial institution. | ||
(g) The remedies provided by this section are cumulative and | ||
do not restrict any other right or remedy otherwise available to the | ||
financial institution. | ||
SECTION 2. (a) Section 521.0521, Business & Commerce Code, | ||
as added by this Act, applies to the retention of codes and data | ||
arising from transactions authorized before the effective date of | ||
this Act as provided by this section. | ||
(b) For transactions authorized before the effective date | ||
of this Act, a business or its service provider may not retain any | ||
codes or data described by Section 521.0521(b), Business & Commerce | ||
Code, as added by this Act, other than codes or data arising from a | ||
PIN debit transaction that occurred less than 48 hours before the | ||
effective date of the Act. | ||
(c) Codes and data arising from a PIN debit transaction | ||
authorized less than 48 hours before the effective date of this Act | ||
may not be retained for more than 48 hours after authorization. | ||
SECTION 3. This Act takes effect September 1, 2015. |