If you take credit cards in your business, even a handful a year, the Payment Card Industry (PCI) became your business partner with their new regulations. Worse, states are starting to make new laws guaranteed to hammer small businesses as an example to look like they're doing something, rather than really addressing the credit card data loss problem.

Jesper Jurcenoks of NetVigilance again anchored the Security Experts panel during ITEC Kansas City this week. He just returned from a PCI conference in Toronto, and related some chilling stories. Minnesota is, at least so far, the first state to pass a new law about PCI compliance, but other states are working on theirs. This law will kill any small business accused of a credit card data leak that hasn't spent the money on a PCI audit.

The bad news? If you lose credit card data, and can't demonstrate PCI compliance, Minnesota says your company is responsible for all charges made with the credit card number(s) taken. Even if you take a handful of credit card orders per year, and write the numbers down on a sticky note, you fall under PCI jurisdiction. If someone uses the number found on a sticky note, you're on the hook, at least in Minnesota.

If you have had a PCI audit, then the credit card company and the company who processed the stolen number get responsibility. Big companies will still lose credit card data, but they will have internal and probably external audits "proving" they're compliant with PCI, no matter how bad their actual security.

Once again, a small company will become the example. Don't let it be you. More on this soon.