"The legislation would also require merchants to use so-called strong encryption routines and access controls while storing or transmitting other types of data, such as card numbers and the names of account holders."
Well, hopefully they mandate logging and log management as well :-)
So, all this "security as a law" makes some people (MJR?) uneasy. Why? Here are the reasons I've heard:
- People will fall to the lure of "checkbox security" and only adopt the bare minimum
- Law will be abused (see DMCA)
- Legal Depts will determine what security measure are "necessary"
UPDATE: this blurb shows some of the reasons folks hate "legalized security." It even equates future security with "lawyer-driven regulatory compliance-centric checkbox." Further in the piece it covers some of the reasons why it is not so bad (which I happen to agree with). This might be premature ("Information security as a whole moves from a poorly defined, immeasurable cost center to a clearly specified, predictable compliance function."), but it seems like an overall progress.