HB5311ham001 95TH GENERAL ASSEMBLY

Consumer Protection Committee

Filed: 3/11/2008

09500HB5311ham001

LRB095 18444 LCT 47516 a

1 AMENDMENT TO HOUSE BILL 5311

2 AMENDMENT NO. ______. Amend House Bill 5311 by replacing

3 the title with the following:

4 "An ACT concerning financial regulation."; and

5 by replacing everything after the enacting clause with the

6 following:

7 "Section 5. The Electronic Fund Transfer Act is amended by

8 changing Section 10 and by adding Section 10.1 as follows:

9 (205 ILCS 616/10)

10 Sec. 10. Definitions. For purposes of this Act, the words

11 and phrases defined in this Section shall have the meanings

12 ascribed to them unless the context requires otherwise.

13 Whenever the terms "network" and "switch" are used, they shall

14 be deemed interchangeable unless, from the context and facts,

15 the intention is plain to apply only to one type of entity.

09500HB5311ham001

- 2 -

LRB095 18444 LCT 47516 a

1 "Access device" means a card, code, or other means of

2 access to an account, or any combination thereof, that may be

3 used by a customer to initiate an electronic fund transfer at a

4 terminal. An "access device" contains a magnetic stripe,

5 microprocessor chip, or other means for storage information

6 that includes, but is not limited to, a credit card, debit

7 card, or stored value card.

8 "Account" means a demand deposit, savings deposit, share,

9 member, or other customer asset account held by a financial

10 institution.

11 An "affiliate" of, or a person "affiliated" with, a

12 specified person, means a person that directly, or indirectly

13 through one or more intermediaries, controls, is controlled by,

14 or is under common control with, the person specified.

15 "Breach of the security of the system" has the meaning

16 given in Section 5 of the Personal Information Protection Act.

17 "Card security code" means the 3-digit or 4-digit value

18 printed on an access device or contained in the microprocessor

19 chip or magnetic stripe of an access device that is used to

20 validate access device information during the authorization

21 process.

22 "Commissioner" means the Commissioner of Banks and Real

23 Estate or a person authorized by the Commissioner, the Office

24 of Banks and Real Estate Act, or this Act to act in the

25 Commissioner's stead.

26 "Magnetic stripe data" means data contained in the magnetic

09500HB5311ham001

- 3 -

LRB095 18444 LCT 47516 a

1 strip of an access device.

2 "Microprocessor chip data" means the data contained in the

3 microprocessor chip of an access device.

4 "Electronic fund transfer" means a transfer of funds, other

5 than a transaction originated by check, draft, or similar paper

6 instrument, that is initiated through a terminal for the

7 purpose of ordering, instructing, or authorizing a financial

8 institution to debit or credit an account.

9 "Financial institution" means a bank established under the

10 laws of this or any other state or established under the laws

11 of the United States, a savings and loan association or savings

12 bank established under the laws of this or any other state or

13 established under the laws of the United States, a credit union

14 established under the laws of this or any other state or

15 established under the laws of the United States, or a licensee

16 under the Consumer Installment Loan Act or the Sales Finance

17 Agency Act.

18 "Interchange transaction" means an electronic fund

19 transfer that results in exchange of data and settlement of

20 funds between 2 or more unaffiliated financial institutions.

21 "Network" means an electronic information communication

22 and processing system that processes interchange transactions.

23 "Person" means a natural person, corporation, unit of

24 government or governmental subdivision or agency, trust,

25 estate, partnership, cooperative, or association.

26 "PIN" means a personal identification code that identifies

09500HB5311ham001

- 4 -

LRB095 18444 LCT 47516 a

1 the cardholder.

2 "PIN verification code number" means the data used to

3 verify cardholder identity when a PIN is used in a transaction.

4 "Seller of goods and services" means a business entity

5 other than a financial institution.

6 "Service provider" means a person or entity that stores,

7 processes, or transmits access device data on behalf of another

8 person or entity.

9 "Switch" means an electronic information and communication

10 processing facility that processes interchange transactions on

11 behalf of a network. This term does not include an electronic

12 information and communication processing company (1) that is

13 owned by a bank holding company or an affiliate of a bank

14 holding company and used solely for transmissions among

15 affiliates of the bank holding company or (2) to the extent

16 that the facility, by virtue of a contractual relationship, is

17 used solely for transmissions among affiliates of a bank

18 holding company, regardless of whether the facility is an

19 affiliate of the bank holding company or operates as a switch

20 with respect to one or more networks under an independent

21 contractual relationship.

22 "Terminal" means an electronic device through which a

23 consumer may initiate an interchange transaction. This term

24 does not include (1) a telephone, (2) an electronic device

25 located in a personal residence, (3) a personal computer or

26 other electronic device used primarily for personal, family, or

09500HB5311ham001

- 5 -

LRB095 18444 LCT 47516 a

1 household purposes, (4) an electronic device owned or operated

2 by a seller of goods and services unless the device is

3 connected either directly or indirectly to a financial

4 institution and is operated in a manner that provides access to

5 an account by means of a personal and confidential code or

6 other security mechanism (other than signature), (5) an

7 electronic device that is not accessible to persons other than

8 employees of a financial institution or affiliate of a

9 financial institution, or (6) an electronic device that is

10 established by a financial institution on a proprietary basis

11 that is identified as such and that cannot be accessed by

12 customers of other financial institutions. The Commissioner

13 may issue a written rule that excludes additional electronic

14 devices from the definition of the term "terminal".

15 (Source: P.A. 89-310, eff. 1-1-96; 89-508, eff. 7-3-96.)

16 (205 ILCS 616/10.1 new)

17 Sec. 10.1. Security or identification information, data

18 capture, and storage restrictions and liability.

19 (a) No person or entity conducting business in Illinois

20 that accepts an access device in connection with an electronic

21 fund transfer transaction (whether PIN or signature based)

22 shall: (1) retain the card security code data; (2) retain the

23 PIN verification code number; (3) retain the full contents of

24 any track of magnetic stripe data, subsequent to the

25 authorization of the transaction of in the case of a PIN debit

09500HB5311ham001

- 6 -

LRB095 18444 LCT 47516 a

1 transaction, subsequent to 48 hours after authorization of the

2 transaction on days the issuing bank is open for settlement; or

3 (4) store any payment-related data that is not needed for

4 business purposes. A person or entity is in violation of this

5 Section if its service provider retains such data subsequent to

6 the authorization of the transaction or in the case of a PIN

7 debit transaction, subsequent to 48 hours after authorization

8 of the transaction.

9 (b) Whenever there is a breach of the security of the

10 system of a person or entity that has violated this Section, or

11 that person's or entity's service provider, that person or

12 entity shall reimburse the financial institution that issued

13 any access devices affected by the breach for consequential

14 damages and costs for reasonable actions undertaken by the

15 financial institution as a result of the breach.

16 Section 99. Effective date. This Act takes effect upon

17 becoming law.".