Consumer Protection Committee
Filed: 3/11/2008
|
|||||||
| |||||||
| |||||||
1 | AMENDMENT TO HOUSE BILL 5311
| ||||||
2 | AMENDMENT NO. ______. Amend House Bill 5311 by replacing | ||||||
3 | the title with the following:
| ||||||
4 | "An ACT concerning financial regulation."; and | ||||||
5 | by replacing everything after the enacting clause with the | ||||||
6 | following: | ||||||
7 | "Section 5. The Electronic Fund Transfer Act is amended by | ||||||
8 | changing Section 10 and by adding Section 10.1 as follows:
| ||||||
9 | (205 ILCS 616/10)
| ||||||
10 | Sec. 10. Definitions. For purposes of this Act, the words | ||||||
11 | and phrases
defined in
this Section shall have the meanings | ||||||
12 | ascribed to them unless the context
requires otherwise. | ||||||
13 | Whenever the terms "network" and "switch" are used, they
shall | ||||||
14 | be deemed interchangeable unless, from the context and facts, | ||||||
15 | the
intention
is plain to apply only to one type of entity.
|
| |||||||
| |||||||
1 | "Access device" means a card, code, or other means of | ||||||
2 | access to an
account, or any combination thereof, that may be | ||||||
3 | used by a customer to initiate
an electronic fund transfer at a | ||||||
4 | terminal. An "access device" contains a magnetic stripe, | ||||||
5 | microprocessor chip, or other means for storage information | ||||||
6 | that includes, but is not limited to, a credit card, debit | ||||||
7 | card, or stored value card.
| ||||||
8 | "Account" means a demand deposit, savings deposit, share, | ||||||
9 | member, or
other customer asset account held by a financial | ||||||
10 | institution.
| ||||||
11 | An "affiliate" of, or a person "affiliated" with, a | ||||||
12 | specified person,
means a person that directly, or indirectly | ||||||
13 | through one or more intermediaries,
controls, is controlled by, | ||||||
14 | or is under common control with, the person
specified.
| ||||||
15 | "Breach of the security of the system" has the meaning | ||||||
16 | given in Section 5 of the Personal Information Protection Act. | ||||||
17 | "Card security code" means the 3-digit or 4-digit value | ||||||
18 | printed on an access device or contained in the microprocessor | ||||||
19 | chip or magnetic stripe of an access device that is used to | ||||||
20 | validate access device information during the authorization | ||||||
21 | process. | ||||||
22 | "Commissioner" means the Commissioner of Banks and Real | ||||||
23 | Estate or a person
authorized by the Commissioner, the Office | ||||||
24 | of Banks and Real Estate Act, or
this Act to act in the | ||||||
25 | Commissioner's stead.
| ||||||
26 | "Magnetic stripe data" means data contained in the magnetic |
| |||||||
| |||||||
1 | strip of an access device. | ||||||
2 | "Microprocessor chip data" means the data contained in
the | ||||||
3 | microprocessor chip of an access device. | ||||||
4 | "Electronic fund transfer" means a transfer of funds, other
| ||||||
5 | than a transaction originated by check, draft, or similar paper | ||||||
6 | instrument,
that is initiated through a terminal for the | ||||||
7 | purpose of ordering, instructing,
or authorizing a financial | ||||||
8 | institution to debit or credit an account.
| ||||||
9 | "Financial institution" means a bank established under the
| ||||||
10 | laws of this or any other state or established under the laws | ||||||
11 | of the United
States, a savings and loan association or savings | ||||||
12 | bank established under the
laws of this or any other state or | ||||||
13 | established under the laws of the United
States, a credit union | ||||||
14 | established under the laws of this or any other state or
| ||||||
15 | established under the laws of the United States, or a licensee | ||||||
16 | under the
Consumer Installment Loan Act or the Sales Finance | ||||||
17 | Agency Act.
| ||||||
18 | "Interchange transaction" means an electronic fund | ||||||
19 | transfer
that results in exchange of data and settlement of | ||||||
20 | funds between 2 or more
unaffiliated financial institutions.
| ||||||
21 | "Network" means an electronic information communication | ||||||
22 | and
processing system that processes interchange transactions.
| ||||||
23 | "Person" means a natural person, corporation, unit of | ||||||
24 | government or
governmental subdivision or agency, trust, | ||||||
25 | estate, partnership, cooperative, or
association.
| ||||||
26 | "PIN" means a personal identification code that identifies |
| |||||||
| |||||||
1 | the cardholder. | ||||||
2 | "PIN verification code number" means the data used to | ||||||
3 | verify cardholder identity when a PIN is used in a transaction. | ||||||
4 | "Seller of goods and services" means a business entity | ||||||
5 | other than a
financial institution.
| ||||||
6 | "Service provider" means a person or entity that stores, | ||||||
7 | processes, or transmits access device data on behalf of another | ||||||
8 | person or entity. | ||||||
9 | "Switch" means an electronic information and communication | ||||||
10 | processing
facility that processes interchange transactions on | ||||||
11 | behalf of a network. This
term does not include an electronic | ||||||
12 | information and communication processing
company (1) that is | ||||||
13 | owned by a
bank holding company or an affiliate of a bank | ||||||
14 | holding company and used solely
for transmissions among | ||||||
15 | affiliates of the bank holding company or (2) to the
extent | ||||||
16 | that the facility, by virtue of a contractual relationship, is | ||||||
17 | used
solely for transmissions among affiliates of a bank | ||||||
18 | holding company, regardless
of whether the facility is an | ||||||
19 | affiliate of the bank holding company or operates
as a switch | ||||||
20 | with respect to one or more networks under an independent
| ||||||
21 | contractual relationship.
| ||||||
22 | "Terminal" means an electronic device through which a | ||||||
23 | consumer may
initiate an interchange transaction. This term | ||||||
24 | does not include (1) a
telephone, (2) an electronic device | ||||||
25 | located in a personal residence, (3) a
personal computer or | ||||||
26 | other electronic device used primarily for personal,
family, or |
| |||||||
| |||||||
1 | household purposes, (4) an electronic device owned or operated | ||||||
2 | by a
seller of goods and services unless the device is | ||||||
3 | connected either directly or
indirectly to a financial | ||||||
4 | institution and is operated in a manner that provides
access to | ||||||
5 | an account by means of a personal and confidential code or | ||||||
6 | other
security mechanism (other than signature), (5) an | ||||||
7 | electronic device that is not
accessible to persons other than | ||||||
8 | employees of a financial institution or
affiliate of a | ||||||
9 | financial institution, or (6) an electronic device that is
| ||||||
10 | established by a financial institution on a proprietary basis | ||||||
11 | that is
identified as such and that cannot be accessed by | ||||||
12 | customers of other financial
institutions. The Commissioner | ||||||
13 | may issue a written rule that excludes
additional electronic | ||||||
14 | devices from the definition of the term "terminal".
| ||||||
15 | (Source: P.A. 89-310, eff. 1-1-96; 89-508, eff. 7-3-96.)
| ||||||
16 | (205 ILCS 616/10.1 new) | ||||||
17 | Sec. 10.1. Security or identification information, data | ||||||
18 | capture, and storage restrictions and liability. | ||||||
19 | (a) No person or entity conducting business in Illinois | ||||||
20 | that accepts an access device in connection with an electronic | ||||||
21 | fund transfer transaction (whether PIN or signature based) | ||||||
22 | shall: (1) retain the card security code data; (2) retain the | ||||||
23 | PIN verification code number; (3) retain the full contents of | ||||||
24 | any track of magnetic stripe data, subsequent to the | ||||||
25 | authorization of the transaction of in the case of a PIN debit |
| |||||||
| |||||||
1 | transaction, subsequent to 48 hours after authorization of the | ||||||
2 | transaction on days the issuing bank is open for settlement; or | ||||||
3 | (4) store any payment-related data that is not needed for | ||||||
4 | business purposes. A person or entity is in violation of this | ||||||
5 | Section if its service provider retains such data subsequent to | ||||||
6 | the authorization of the transaction or in the case of a PIN | ||||||
7 | debit transaction, subsequent to 48 hours after authorization | ||||||
8 | of the transaction. | ||||||
9 | (b) Whenever there is a breach of the security of the | ||||||
10 | system of a person or entity that has violated this Section, or | ||||||
11 | that person's or entity's service provider, that person or | ||||||
12 | entity shall reimburse the financial institution that issued | ||||||
13 | any access devices affected by the breach for consequential | ||||||
14 | damages and costs for reasonable actions undertaken by the | ||||||
15 | financial institution as a result of the breach.
| ||||||
16 | Section 99. Effective date. This Act takes effect upon | ||||||
17 | becoming law.".
|