New Mexico Statutes Chapter 58. Financial Institutions and Regulations § 58-16-13. Confidentiality

A. Every merchant having a POS terminal on its premises and every financial institution contracting for use of or operating a remote financial service unit shall adopt and maintain safeguards to insure the safety of funds of any third party in situations where deposits are accepted or cash advances or withdrawals are made and to insure the safety of items and other information, which safeguards shall include security precautions consistent with the appropriate minimum security requirements specified by applicable federal or state law or by federal or state regulatory agencies having jurisdiction over the POS terminal or remote financial service unit.

B. A social security number shall not be used as a PIN or code to activate any remote financial service unit.

C. To protect the privacy of persons using remote financial service units, information concerning a cardholder's account that is received by or processed through such units shall be treated and used only in accordance with applicable law relating to the dissemination and disclosure of such information. Any person operating a POS terminal shall take such steps as are reasonably necessary to protect the confidentiality of any information received or obtained about a cardholder's account by any individual manning a POS terminal.

D. No person shall use or attempt to use a remote financial service unit for the purpose of obtaining any information concerning the account of a cardholder of a financial institution without prior approval of the cardholder, except where such information is reasonably necessary to complete or prevent the completion of or to reconstruct a transaction initiated through the remote financial service unit. No person shall obtain through the use of a remote financial service unit any information concerning the account of a cardholder other than that reasonably necessary to effect or prevent the transaction that the cardholder seeks to accomplish through its use or to reconstruct a transaction initiated through the remote financial service unit.

E. Any transaction shall include the issuance of a receipt to the cardholder. No receipt shall be required, however, in any transaction involving a negotiable instrument that shall itself become a receipt.