Prohibits a person conducting business in Washington that accepts an access device in connection with a transaction from retaining the card security code data, the PIN verification code number, or access device account data other than the cardholder's name, primary account number, expiration date, and service code after the authorization of the transaction or, in the case of a PIN debit transaction, forty-eight hours after authorization of the transaction.

Prohibits a service provider that processes access device transactions for or on behalf of a person who conducts business in Washington from retaining the card security code data, the PIN verification code number, or access device account data other than the cardholder's name, primary account number, expiration date, and service code after the settlement of the transaction or, in the case of a PIN debit transaction, forty-eight hours after authorization of the transaction.

Prescribes penalties.

Provides remedies for a breach of the security of the system occurring after January 1, 2010.