ASSEMBLY, No. 4346

STATE OF NEW JERSEY

217th LEGISLATURE

INTRODUCED DECEMBER 5, 2016

Sponsored by:

Assemblywoman  ANNETTE QUIJANO

District 20 (Union)

SYNOPSIS

     "Consumer ATM and Credit Card Protection Act."

CURRENT VERSION OF TEXT

     As introduced.

An Act concerning payment and withdrawal systems and supplementing Title 17 of the Revised Statutes.

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

     1.    This act shall be known and may be cited as the "Consumer ATM and Credit Card Protection Act."

     2.    As used in this act:

     "Access controlled entry" means an entryway that is unlocked by a customer swiping a credit or debit card to access an automated teller machine or a card payment machine.

     "Automated teller machine" means any electronic information processing device located in the State of New Jersey which accepts or dispenses cash in connection with a credit or deposit account.

     "Card payment machine" means any electronic information processing device located in the State of New Jersey by which payments may be made by means of a credit or debit card.

     "Credit card" means any instrument or device linked to an established line of credit, whether known as a credit card, charge card, credit plate, or by any other name, issued with or without fee by an issuer for the use of the cardholder in satisfying outstanding financial obligations, or in obtaining money, goods, services or anything else of value on credit.

     "Debit card" means any instrument or device, whether known as a debit card, automated teller machine card, or by any other name, issued with or without fee by an issuer for the use of the cardholder in obtaining money, goods, services or anything else of value through the electronic authorization of a financial institution to debit the cardholder's account.

     "Operator" means any State or federally chartered bank, savings bank, savings and loan association, credit union, or other individual or entity, including a retail mercantile establishment or State or local government, which owns or operates an automated teller machine or card payment machine.

     "Payment or withdrawal system" or "system" means an automated teller machine or card payment machine which is publicly accessible, and includes any access controlled entry to those machines.

     "Publicly accessible" means located in an area that is not restricted to public access, but includes card payment machines located at motor fuel pumps, even if customers are not permitted to operate those machines.  An automated teller machine or card payment machine shall be considered publicly accessible even if it is accessible only through an access controlled entry.

     3.    a.  (1)  Except for an operator that opts out of the provisions of this act pursuant to paragraph (2) of subsection b. of this section, every operator of a payment or withdrawal system located in this State shall perform a daily inspection of that system for any device intended to compromise the personal information of a customer, including, but not limited to, skimmers, unapproved cameras, or other foreign objects.

     (2)   If an operator of a payment or withdrawal system finds a device intended to compromise the personal information of a customer during a daily inspection conducted pursuant to paragraph (1) of this subsection, the operator shall:

     (a) disable that system until the device has been removed and the system has been inspected and found to no longer compromise personal information;

     (b)   send a notice to each person that used the payment or withdrawal system since the previous inspection was performed informing that person of the potential compromise of personal information; and

     (c) notify the Department of Banking and Insurance when a device is found and when a device is removed.

     b.    Every payment or withdrawal system located in this State shall have displayed on or near it, in a conspicuous place, a permanent, affixed label or a notice that appears on the system screen that is visible before a customer swipes a debit or credit card or enters any personal information that clearly indicates that the operator of the system:

     (1) inspects the system on a daily basis for devices intended to compromise the personal information of customers, and disables the system if a device is found until the device has been removed; or

     (2)   has opted out of the provisions of this act and does not inspect the system on a daily basis for devices intended to compromise the personal information of customers, and that customers use the system at their own risk.

     4.    a.  (1)  Except as provided in paragraph (2) of this subsection, every operator of a payment or withdrawal system located in this State shall submit to the Department of Banking and Insurance a certification that the operator has complied with the requirements of section 3 of this act, on the form promulgated by the department pursuant to subsection b. of this section, every six months. 

     (2)   The requirements of paragraph (1) of this subsection shall not apply to an operator that provides the Commissioner of Banking and Insurance with notice that it has opted out of the provisions of this act and complies with the requirements of paragraph (2) of subsection b. of section 3 of this act.  The commissioner shall create procedures for operators to notify the department of opting out of the provisions of this act.

     b.    The commissioner shall create a form on which the operator of a payment or withdrawal system located in this State may certify the daily inspections required pursuant to this act, and shall create procedures for the submission of that form.  The commissioner shall also create procedures for operators to notify the department when a device intended to compromise the personal information of a customer is found or removed, as required in paragraph (2) of subsection a. of section 3 of this act.

     c.     Any party found to be in violation of this act shall be subject to a civil penalty of not more than $1,000 per day for each day that the party is in violation of this act, which penalty may be collected by summary proceedings instituted by the Commissioner of Banking and Insurance in accordance with the "Penalty Enforcement Law of 1999," P.L.1999, c.274 (C.2A:58-10 et seq.). 

     5.    This act shall take effect on the first day of the third month next following enactment.

STATEMENT

     This bill requires operators of publicly accessible payment or withdrawal systems to take certain actions to protect customer information.  This bill confronts the problem of "skimmers," or devices used to steal customers' personal information when they use their credit or debit cards at automatic teller machines or other card payment machines.  If a customer's credit or debit card information is compromised in this fashion, it can lead to financial disaster; there are reports of thieves using skimmers to empty entire bank accounts.

     Specifically, the bill requires every operator of a publicly accessible credit or debit card payment machine, automated teller machine, or controlled access entry located in this State, that does not opt out of the provisions of the bill, to perform a daily inspection of those systems for any device intended to compromise the personal information of a customer, including, but not limited to, skimmers, unapproved cameras, or other foreign objects.  If an operator of a payment or withdrawal system finds a device intended to compromise the personal information of a customer during a daily inspection, the operator must disable that system until the device has been removed and the system has been inspected and found to no longer compromise personal information.  The operator must also send a notice to each person that used the payment or withdrawal system since the previous inspection was performed informing that person of the potential compromise of personal information and notify the Department of Banking and Insurance of the device and its removal.

     The bill also requires every payment or withdrawal system located in this State to have displayed on or near it, in a conspicuous place, a permanent, affixed label or a notice that appears on the screen of the system that is visible before a customer swipes a debit or credit card or enters any personal information that clearly indicates that the operator of the system:

     (1) inspects the system on a daily basis for devices intended to compromise the personal information of customers, and disables the system, if a device is found, until the device has been removed; or

     (2)   does not inspect the system on a daily basis for devices intended to compromise the personal information of customers, and that customers use the system at their own risk.

     The bill requires every operator of a payment or withdrawal system located in this State that does not opt out of the provisions of the bill to submit to the Department of Banking and Insurance a certification that the operator has complied with the requirements of the bill every six months.  The bill requires the Commissioner of Banking and Insurance to create a form on which the operator of a payment or withdrawal system located in this State may certify daily inspections, and to create procedures for the submission of that form.

     Violations of the bill are subject to a civil penalty of not more than $1,000 per day for each day that the party is in violation, which penalty may be collected by summary proceedings.